SphereCMS 1.1 Alpha Blind SQL Injection

`##########################www.BugReport.ir########################################  
#  
# AmnPardaz Security Research Team  
#  
# Title: SphereCMS Blind SQL Injection Vulnerability  
# Vendor: http://sphere.xlentprojects.se/  
# Vulnerable Version: 1.1 alpha (Latest version till now)  
# Exploitation: Remote with browser  
# Fix: N/A  
###################################################################################  
  
####################  
- Description:  
####################  
  
SphereCMS is a CMS which allow managing forum, archive posts, chat like  
posts (named shoutbox), friend in the site and personal profile. It has  
one theme, but a buty one.  
It uses MySQL as its backend DBMS and is written in PHP language.  
  
  
####################  
- Vulnerability:  
####################  
  
+--> Blind SQL Injection  
The archive page is vulnerable to SQL injection. The GET variable,   
namely 'view',  
is not sanitized correctly in the SQL query. This hole can be used   
for extracting  
admin password. For deatils see 'Exploits' section.  
  
####################  
- Exploits/PoCs:  
####################  
  
+--> Exploiting The (MySQL) Blind SQL Injection:  
The GET variavle 'view' in archive madule can be used for hacking process.  
Check URI 'example.com/archive.php?view=***'; SQL query can be placed   
at '***'.  
The users password is stored in `xcms_members` table. For extracting   
password of 'Admin'  
we could use following SQL injection vector:  
?view=17' AND EXISTS  
(/*%00*/SELECT * FROM xcms_members  
WHERE username='Admin'  
AND substr(/*%00*/password,#,1)='@') AND '1'='1  
replacing # with 1, 2, 3, ... and @ with different characters. The   
result page will show  
the archive post with id '17' on correct and show no archive post if   
@ was wrong.  
So the password can be extracted in O(length of encrypted pass)=O(1).  
  
+++ Special Technique for Bypassing SphereCMS Security Check:  
SphereCMS checks all of parameters including 'view' GET parameter   
before doing any  
process. In these checks, any parameter which has a pattern like   
"(*)" will result  
to "die ()". Also we can not check the password words without   
parenthesizes (it is  
required for substr function and there are no substitute solution).  
  
For bypassing this check, I consider MySQL and PHP together. The PHP   
functions will consider  
all strings JUST untill first null character. Also MySQL support   
comment syntax  
like /* the comment */ and before executing any SQL query, these   
comments will be removed  
from the query by MySQL.  
Thus I place a null character within MySQL comment right after each   
open parenthesis. So  
when PHP search for parenthesises, it find nothing since it reaches   
null and finish searching.  
Also when query is going to be executed, the null character will be   
removed within the comment  
(see the '(/*%00*/' in the above SQL injection vector).  
  
####################  
- Solution:  
####################  
  
The parameters must be sanitized using the context sensitive   
sanitizing function provided  
by MySQL (mysql_real_escape_string), instead of manual sanitizing   
which is usually error prone.  
  
####################  
- Original Advisory:  
####################  
  
http://www.bugreport.ir/index_68.htm  
  
####################  
- Credit:  
####################  
AmnPardaz Security Research & Penetration Testing Group  
Contact: admin[4t}bugreport{d0t]ir  
www.BugReport.ir  
www.AmnPardaz.com  
`