Jaow 2.4.5 Blind SQL Injection

2012-05-25 / 2012-05-31
Credit: kallimero
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Jaow <= 2.4.5 Blind Sql Injection # Google Dork: intext:"propuls? par jaow 2.4.5" # Date: 23/05/2012 # Software Link: http://www.jaow.net/telechargements/Jaow_V2.4.5.zip # Version: 2.4.5 # Tested on: Debian GNU/Linux # Author: kallimero = Introduction = Jaow is a CMS that can manage sites of small sizes, thanks to its simple, commented code you can easily create templates and / or create modules to suit your needs. Jaow is the solution for small sites, blogs or portfolio. = Details = Unfortunately, a Blind SQL injection is possible in the 2.4.5 core. Vulnerable page : add_ons.php Extract from the source : -------------[ add_ons.php ]-------------- // On stocke dans une variable simple le add_on demand? $add_on = stripslashes($_GET['add_ons']); // On recherche si l'add_on est install? echo 'SELECT id,nom FROM '.$db_prefix.'add_ons WHERE nom="'.$add_on.'" AND actif="1"'; $query_add_ons = mysql_query('SELECT id,nom FROM '.$db_prefix.'add_ons WHERE nom="'.$add_on.'" AND actif="1"'); -------------[ add_ons.php ]-------------- So, we can inject sql with the add_ons variable, like that : http://[site]/[path]/add_ons.php?add_ons=[SQL injection] = Solutions = Update is avalaible here : http://www.jaow.net/Article-97 = Thanks = Thanks to necromoine, fr0g, st0rn, applestorm, Zhyar, k3nz0, m4ke and all hwc-crew members. http://hwc-crew.com/ And all npn members. http://n-pn.info/

References:

http://www.jaow.net/telechargements/Jaow_V2.4.5.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top