WSCreator 1.1 Blind SQL Injection

`WSCreator 1.1 Blind SQL Injection  
  
Name WSCreator  
Vendor http://www.wscreator.com  
Versions Affected 1.1  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2009-12-15  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
  
Based on one of the world's leading structure and content  
management systems - WebSiteAdmin, WSCreator (WS standing  
for WebSite) is powerful application for handling multiple  
websites. This is a commercial application.  
  
  
II. DESCRIPTION  
  
The email value is not properly sanitised when an INSERT  
query is used and this is the cause of the Blind SQL  
Injection.  
  
  
III. ANALYSIS  
  
Summary:  
  
A) Blind SQL Injection  
  
A) Blind SQL Injection  
  
Like I wrote previous, the email field is not properly san  
itised, infact if you try to insert an "'", you will obtain  
a SQL error message like the following:  
  
You have an error in your SQL syntax; check the manual that  
corresponds to your MySQL server version for the right  
syntax to use near ''','127.0.0.1','1260844198','error','')  
  
The module affected is ADMIN/loginaction.php at line 2.  
As you can see, that is a INSERT SQL syntax.  
  
In order to exploit this vulnerability, the flag Magic  
Quotes GPG (php.ini) must be Off.  
  
  
IV. SAMPLE CODE  
  
username: ',(SELECT BENCHMARK(99999999, MD5(0x90))),'','','')#  
password: foo  
  
  
V. FIX  
  
No Fix.  
`