[Full-disclosure] Remote Sql Injection in EasyMoblog 0.5.1

·= Security Advisory =·

Issue: Sql injection Vulnerability in EasyMoblog by Umberto Caldera.
Discovered Date: 30/01/07
Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com]
Product Vendor: http://sourceforge.net/project/showfiles.php?group_id=88633
Ver: easymoblog-0.5.1
Details:

EasyMoblog is prone to a Sql Injection Vulnerability.
The vulnerability exists in post_details function, caused by the
lack of Input Validation/Filtering of quotation and malicious
characters in the GET parameter "i".

The use of post_details function is done by "list_comments.php"
that exist in "libraries.inc.php".

Contents of libraries.inc.php:

…

function post_details ($post_id) {
if (CFG_USE_PATH_INFO == 'no')
$iisbug = '?';
else
$iisbug = '';

$query = "
select p.*, count(c.post_id) as post_comments, count(tr.post_id) as post_trackback_pings, t.topic_name, concat(t.img_id,'.',i.img_extension) as topic_img
from ".CFG_MYSQL_TABPREFIX."posts p
left join ".CFG_MYSQL_TABPREFIX."comments c
on p.post_id = c.post_id
left join ".CFG_MYSQL_TABPREFIX."trackback_pings tr
on p.post_id = tr.post_id
left join ".CFG_MYSQL_TABPREFIX."topics t
on p.topic_id = t.topic_id
left join ".CFG_MYSQL_TABPREFIX."images i
on t.img_id = i.img_id
where p.post_id = '".$post_id."'
group by p.post_id
";
$res = mysql_query($query);

…

Contents of list_comments.php:

…

$post_id = '';
if (isset($_GET['i'])) $post_id = $_GET['i'];

$post = post_details ($post_id);
…

Exploitation URL:
http://www.example.com/easymoblog/list_comments.php?i='[SQL]

Successful exploitation may allow execution of Sql code.
This could also be exploited to get the passwords, users,
and a lot of informaion, commit Denial Of Service attacks and more…

Proof Of Concept:
http://www.example.com/easymoblog/list_comments.php?i='[SQL]