################################################################################# # # # TutorialMS v1.4 (show) Remote SQL Injection Vulnerability # # # ################################################################################# . . --------------------------------------------------------------------------------- | | | Vendor: TutorialMS.com | | Product web page: http://www.tutorialms.com | | Affected version: 1.4 | | | | Summary: TutorialMS is a free content management system, | | developed specifically for tutorial pages. It is written | | in PHP and uses MySQL as a database. TutorialMS offers all | | the usual features you need to build quick and easy your | | own tutorial page, without great programming knowledge. | | | | Desc: Input passed via the 'show' parameter to the | | 'includes/classes/tutorial.php' script is not properly | | sanitised before being used in a SQL query. This can be | | exploited to manipulate SQL queries by injecting arbitrary | | SQL code. | | | | Tested on : Microsoft Windows XP Professional SP3 (EN) | | Apache 2.2.14 (Win32) | | PHP 5.3.1 | | MySQL 5.1.41 | | | | Vulnerability discovered by Gjoko 'LiquidWorm' Krstic | | | | | | Advisory ID: ZSL-2011-5007 | | Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5007.php | | | | | | 04.04.2011 | | | | | --------------------------------------------------------------------------------- ````````````````````````````````````````````````````````````````````````````````` ` PoC: `````````````````````````````````````````````````````````````````````````` ` `````````````````````````````````````````````````````````````````````````` ``````````[*] http://192.168.10.64/tutorialms/tutorials.php?show=15 [SQLi]``````` ````````````````````````````````````````````````````````````````````````````````` ````````````````````````````````````````````````````````````````````````````````` ````````````````````````````````````````````````````````````````````````````````` -o o `o ' \_Q_/ I /T\ \|/ ____=0=____