Share
# Exploit Title: 60CycleCMS 2.5.2 - 'news.php' SQL Injection  
# Google Dork: N/A  
# Date: 2020-03-07  
# Exploit Author: Unkn0wn  
# Vendor Homepage: http://davidvg.com/  
# Software Link: https://www.opensourcecms.com/60cyclecms  
# Version: 2.5.2  
# Tested on: Ubuntu  
# CVE : N/A  
---------------------------------------------------------  
  
SQL Injection vulnerability:  
----------------------------  
in file /common/lib.php Line 64 -73  
*  
function getCommentsLine($title)  
{  
=09$title =3D addslashes($title);  
=09$query =3D "SELECT `timestamp` FROM `comments` WHERE entry_id=3D '$title=  
'";  
=09// query MySQL server  
=09$result=3Dmysql_query($query) or die("MySQL Query fail: $query");=09  
=09$numComments =3D mysql_num_rows($result);  
=09$encTitle =3D urlencode($title);  
=09return '<a href=3D"post.php?post=3D' . $encTitle . '#comments" >' . $num=  
Comments . ' comments</a>';=09  
}  
lib.php line 44:  
*  
=09$query =3D "SELECT `timestamp`,`author`,`text` FROM `comments` WHERE `en=  
try_id` =3D'$title' ORDER BY `timestamp` ASC";  
  
*  
*  
news.php line 3:  
*  
require 'common/lib.php';  
*=20  
Then in line 15 return query us:  
*  
$query =3D "SELECT MAX(`timestamp`) FROM `entries  
*  
  
http://127.0.0.1/news.php?title=3D$postName[SQL Injection]  
----------------------------  
Cross Site-Scripting vulnerability:  
File news.php in line: 136-138 :  
*  
$ltsu =3D $_GET["ltsu"];  
$etsu =3D $_GET["etsu"];  
$post =3D $_GET["post"];  
*  
get payload us and printEnerty.php file in line 26-27:  
*  
<? echo '<a class=3D"navLink" href=3D"index.php?etsu=3D' . $etsu . '">Older=  
></a>';  
<? echo '<a class=3D"navLink" href=3D"index.php?ltsu=3D' . 0 . '">Oldest &g=  
t;>|</a>';=20  
*  
  
print it for us!  
http://127.0.0.1/index.php?etsu=3D[XSS Payloads]  
http://127.0.0.1/index.php?ltsu=3D[XSS Payloads]  
----------------------------------------------------------  
  
# @ 2010 - 2020  
# Underground Researcher