ArticleSetup Article Script 1.00 - SQL Injection

EDB-ID:

38990

CVE:


EDB Verified:

Author:

Linux Zone Research Team

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2015-12-15

Vulnerable App: 
######################################################################################## 

#______________________________________________________________________________________ 

# Exploit Title  : Article Script SQL Injection Vulnerability 

# Exploit Author : Linux Zone Research Team 

# Vendor Homepage: http://articlesetup.com/ 

# Google Dork    : inurl:/article.php?id= intext:Powered By Article Marketing 

# Software Link  : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip 

# Date           : 15-December-2015 

# Version        : (Version 1.00) 

# CVE            : NONE 

# Tested On      : Linux - Chrome 

# Category       : Web Application 

# MY HOME        : http://linux-zone.org/Forums - research@linux-zone.org 

#______________________________________________________________________________________ 

####################################################################################### 

# 

# localHost/article.php?id=SQL 

#______________________________________________________________________________________ 

## Vulnerability Code 

<?php 

include('config.php'); 



//Create site settings variables 

$sitequery = 'select * from settings;'; 

$siteresult = mysql_query($sitequery,$connection) or die(mysql_error()); 

$siteinfo = mysql_fetch_array($siteresult); 

$siteurl = $siteinfo['url']; 



$article = $_GET['id']; 



if (!is_numeric($article)) { 

header('Location: '.$siteurl); 

} 



else 



{   



$sitequery = 'select * from settings;'; 

$siteresult = mysql_query($sitequery,$connection) or die(mysql_error()); 



//Create site settings variables 

$siteinfo = mysql_fetch_array($siteresult); 

$sitetitle = $siteinfo['title']; 

$siteurl = $siteinfo['url']; 

$sitecomments = $siteinfo['comments']; 

$commentmod = $siteinfo['commentmod']; 



$query = "select * from articles where status=0 and id = ".$article; 



$articleresults = mysql_query($query,$connection) or die(mysql_error()); 

$num_results = mysql_num_rows($articleresults); 

$articleinfo = mysql_fetch_array($articleresults); 



if (!$num_results) { 

header('Location: '.$siteurl); 

} 



//Get article info 

$id = $articleinfo['id']; 

$authorid = $articleinfo['authorid']; 

$date = strtotime($articleinfo['date']); 

$artdate = date('m/d/y', $date); 

$categoryid = $articleinfo['categoryid']; 

$title = stripslashes($articleinfo['title']); 

$body = stripslashes($articleinfo['body']); 

$resource = $articleinfo['resource']; 





//Meta Info 

$cathead = 0; 

$metatitle = $title." - "; 

include('header.php'); 

include('sidebar.php'); 





if ($seourls == 1) { $scrubtitle = generate_seo_link($title); } 





// Setup the article template 

$articletemp = new Template("templates/".$template."/article.tpl"); 



// get author info 

$authorquery = "select * from authors where id=".$authorid; 

$authorresult = mysql_query($authorquery,$connection) or die(mysql_error()); 

$authorinfo = mysql_fetch_array($authorresult); 

$authorname = $authorinfo['displayname']; 

$authorbio = $authorinfo['bio']; 

$gravatar = $authorinfo['gravatar']; 

if ($seourls == 1) { $scrubauthor = generate_seo_link($authorname); } 



// get category info 

$catquery = "select * from categories where id=".$categoryid; 

$catresult = mysql_query($catquery,$connection) or die(mysql_error()); 

$catinfo = mysql_fetch_array($catresult); 

$categoryname = $catinfo['name']; 

$catparent = $catinfo['parentid']; 

if ($seourls == 1) { $scrubcatname = generate_seo_link($categoryname); } 



// if the category doesn't have a parent 

if ($catparent == NULL) { 

if ($seourls == 1) { // With SEO URLS 

$displaycat = "<a href=\"".$siteurl."/category/".$categoryid."/" 

.$scrubcatname."/\"><b>".$categoryname."</b></a>"; 

} else { 

$displaycat = "<a href=\"".$siteurl."/category.php?id=".$categoryid 

."\"><b>".$categoryname."</b></a>"; 

} 



// if the category DOES have a parent 

} else { 

$query = "select * from categories where id=".$catparent; 

$result = mysql_query($query,$connection) or die(mysql_error()); 

$info = mysql_fetch_array($result); 

$parentname = $info['name']; 

if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); } 



if ($seourls == 1) { // With SEO URLS 

$displaycat = "<a href=\"".$siteurl."/category/".$catparent."/" 

.$scrubparent."/\"><b>".$parentname."</b></a> > 

<a href=\"".$siteurl."/category/".$categoryid."/" 

.$scrubcatname."/\"><b>".$categoryname."</b></a>"; 

} else { 

$displaycat = "<a href=\"".$siteurl."/category.php?id=".$catparent 

."\"><b>".$parentname."</b></a> > 

<a href=\"".$siteurl."/category.php?id=".$categoryid 

."\"><b>".$categoryname."</b></a>"; 

} 

} 





// Add a view to this article 

$query = "select * from articleviews where articleid = ".$article; 

$results = mysql_query($query,$connection) or die(mysql_error()); 

$viewinfo = mysql_fetch_array($results); 

if ($viewinfo == NULL) { 

$sql = "INSERT INTO articleviews VALUES (".$article.", 1)"; 

$query = mysql_query($sql); 

} else { 

$totalviews = $viewinfo['views']; 

$totalviews++; 



$sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article.""; 

$query = mysql_query($sql); 

} 



if ($seourls == 1) { // With SEO URLS 

$authorlink = "<a href=\"".$siteurl."/profile/".$authorid."/".$scrubauthor."/\"><b>".$authorname."</b></a>"; 

} else { 

$authorlink = "<a href=\"".$siteurl."/profile.php?a=".$authorid."\"><b>".$authorname."</b></a>"; 

} 



// Setup all template variables for display 

$articletemp->set("authorname", $authorname); 

$articletemp->set("authorlink", $authorlink); 

$articletemp->set("date", $artdate); 

$articletemp->set("displaycat", $displaycat); 

$articletemp->set("views", $totalviews); 

$articletemp->set("title", $title); 

$articletemp->set("body", $body); 

$articletemp->set("gravatar", $gravatar); 

$articletemp->set("resource", $resource); 



// For the adcode 

$query = "select * from adboxes where id=1;"; 

$result = mysql_query($query,$connection) or die(mysql_error()); 

$info = mysql_fetch_assoc($result); 

$articletemp->set("250adcode", stripslashes($info['adcode'])); 





// Outputs the homepage template! 



echo $articletemp->output(); 



//Displays the comments -- if admin has them enabled 



if($sitecomments == 0) { 

echo "<br/><h2>Comments</h2>"; 



require_once 'comments/classes/Comments.class.php'; 



/* Article ID which shows the comments */ 

$post_id = $article; 



/* Level of hierarchy comments. Infinit if declared NULL */ 

$level = NULL; 



/* Number of Supercomments (level 0) to display per page */ 

$supercomments_per_page = 10000; 



/* Moderate comments? */ 

if ($commentmod == 0) { 

$moderation = true; 

} else { 

$moderation = false; 

} 



# Setup db config array # 

$db_config = array("db_name" => $db_name, 

"db_user" => $dbusername, 

"db_pass" => $dbpassword, 

"db_host" => $server ); 



# Create Object of class comments 

$comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config); 



# Display comments # 

echo $comments->getComments(); 

} 



include('rightsidebar.php'); 

include('obinclude.php'); 



} 



?> 



####################################### 

# 

# Hassan Shakeri - Mohammad Habili 

# 

# Twitter : @ShakeriHassan - Fb.com/General.BlackHat 

##########################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services