WSCreator 1.1 - Blind SQL Injection

EDB-ID:

10446




Platform:

PHP

Date:

2009-12-14


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

 Name              WSCreator
 Vendor            http://www.wscreator.com
 Versions Affected 1.1

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2009-12-15

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX


I. ABOUT THE APPLICATION

Based on one of the world's leading structure  and content
management systems - WebSiteAdmin, WSCreator  (WS standing
for WebSite) is powerful application for handling multiple
websites. This is a commercial application.


II. DESCRIPTION

The email  value is not properly sanitised  when an INSERT
query  is  used and  this is  the cause of  the  Blind SQL
Injection.


III. ANALYSIS

Summary:

 A) Blind SQL Injection

A) Blind SQL Injection

Like I wrote previous, the email field is not properly san
itised, infact if you try to insert an "'", you will obtain
a SQL error message like the following:

You have an error in your SQL syntax; check the manual that
corresponds  to  your  MySQL  server  version for the right
syntax to use near ''','127.0.0.1','1260844198','error','')

The module affected is ADMIN/loginaction.php at line 2.
As you can see, that is a INSERT SQL syntax.

In  order to  exploit  this vulnerability,  the flag Magic
Quotes GPG (php.ini) must be Off.


IV. SAMPLE CODE

username: ',(SELECT BENCHMARK(99999999, MD5(0x90))),'','','')#
password: foo


V. FIX

No Fix.