Vulners
Lucene search
Article Script 1.00 SQL Injection
🗓️ 15 Dec 2015 00:00:00Reported by Linux Zone Research TeamType 
packetstorm🔗 packetstormsecurity.com👁 23 Views
`
########################################################################################
#______________________________________________________________________________________
# Exploit Title : Article Script SQL Injection Vulnerability
# Exploit Author : Linux Zone Research Team
# Vendor Homepage: http://articlesetup.com/
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Software Link : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Date : 15-December-2015
# Version : (Version 1.00)
# CVE : NONE
# Tested On : Linux - Chrome
# Category : Web Application
# MY HOME : http://linux-zone.org/Forums - [email protected]
#______________________________________________________________________________________
#######################################################################################
#
# localHost/article.php?id=SQL
#______________________________________________________________________________________
## Vulnerability Code
<?php
include('config.php');
//Create site settings variables
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
$siteinfo = mysql_fetch_array($siteresult);
$siteurl = $siteinfo['url'];
$article = $_GET['id'];
if (!is_numeric($article)) {
header('Location: '.$siteurl);
}
else
{
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
//Create site settings variables
$siteinfo = mysql_fetch_array($siteresult);
$sitetitle = $siteinfo['title'];
$siteurl = $siteinfo['url'];
$sitecomments = $siteinfo['comments'];
$commentmod = $siteinfo['commentmod'];
$query = "select * from articles where status=0 and id = ".$article;
$articleresults = mysql_query($query,$connection) or die(mysql_error());
$num_results = mysql_num_rows($articleresults);
$articleinfo = mysql_fetch_array($articleresults);
if (!$num_results) {
header('Location: '.$siteurl);
}
//Get article info
$id = $articleinfo['id'];
$authorid = $articleinfo['authorid'];
$date = strtotime($articleinfo['date']);
$artdate = date('m/d/y', $date);
$categoryid = $articleinfo['categoryid'];
$title = stripslashes($articleinfo['title']);
$body = stripslashes($articleinfo['body']);
$resource = $articleinfo['resource'];
//Meta Info
$cathead = 0;
$metatitle = $title." - ";
include('header.php');
include('sidebar.php');
if ($seourls == 1) { $scrubtitle = generate_seo_link($title); }
// Setup the article template
$articletemp = new Template("templates/".$template."/article.tpl");
// get author info
$authorquery = "select * from authors where id=".$authorid;
$authorresult = mysql_query($authorquery,$connection) or die(mysql_error());
$authorinfo = mysql_fetch_array($authorresult);
$authorname = $authorinfo['displayname'];
$authorbio = $authorinfo['bio'];
$gravatar = $authorinfo['gravatar'];
if ($seourls == 1) { $scrubauthor = generate_seo_link($authorname); }
// get category info
$catquery = "select * from categories where id=".$categoryid;
$catresult = mysql_query($catquery,$connection) or die(mysql_error());
$catinfo = mysql_fetch_array($catresult);
$categoryname = $catinfo['name'];
$catparent = $catinfo['parentid'];
if ($seourls == 1) { $scrubcatname = generate_seo_link($categoryname); }
// if the category doesn't have a parent
if ($catparent == NULL) {
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
// if the category DOES have a parent
} else {
$query = "select * from categories where id=".$catparent;
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_array($result);
$parentname = $info['name'];
if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); }
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$catparent."/"
.$scrubparent."/\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$catparent
."\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
}
// Add a view to this article
$query = "select * from articleviews where articleid = ".$article;
$results = mysql_query($query,$connection) or die(mysql_error());
$viewinfo = mysql_fetch_array($results);
if ($viewinfo == NULL) {
$sql = "INSERT INTO articleviews VALUES (".$article.", 1)";
$query = mysql_query($sql);
} else {
$totalviews = $viewinfo['views'];
$totalviews++;
$sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article."";
$query = mysql_query($sql);
}
if ($seourls == 1) { // With SEO URLS
$authorlink = "<a href=\"".$siteurl."/profile/".$authorid."/".$scrubauthor."/\"><b>".$authorname."</b></a>";
} else {
$authorlink = "<a href=\"".$siteurl."/profile.php?a=".$authorid."\"><b>".$authorname."</b></a>";
}
// Setup all template variables for display
$articletemp->set("authorname", $authorname);
$articletemp->set("authorlink", $authorlink);
$articletemp->set("date", $artdate);
$articletemp->set("displaycat", $displaycat);
$articletemp->set("views", $totalviews);
$articletemp->set("title", $title);
$articletemp->set("body", $body);
$articletemp->set("gravatar", $gravatar);
$articletemp->set("resource", $resource);
// For the adcode
$query = "select * from adboxes where id=1;";
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_assoc($result);
$articletemp->set("250adcode", stripslashes($info['adcode']));
// Outputs the homepage template!
echo $articletemp->output();
//Displays the comments -- if admin has them enabled
if($sitecomments == 0) {
echo "<br/><h2>Comments</h2>";
require_once 'comments/classes/Comments.class.php';
/* Article ID which shows the comments */
$post_id = $article;
/* Level of hierarchy comments. Infinit if declared NULL */
$level = NULL;
/* Number of Supercomments (level 0) to display per page */
$supercomments_per_page = 10000;
/* Moderate comments? */
if ($commentmod == 0) {
$moderation = true;
} else {
$moderation = false;
}
# Setup db config array #
$db_config = array("db_name" => $db_name,
"db_user" => $dbusername,
"db_pass" => $dbpassword,
"db_host" => $server );
# Create Object of class comments
$comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config);
# Display comments #
echo $comments->getComments();
}
include('rightsidebar.php');
include('obinclude.php');
}
?>
#######################################
#
# Hassan Shakeri - Mohammad Habili
#
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat
##########################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Dec 2015 00:00Current
0.4Low risk
Vulners AI Score0.4