Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22938
HistoryDec 15, 2009 - 12:00 a.m.

WSCreator 1.1 Blind SQL Injection

2009-12-1500:00:00
vulners.com
18
JSON

WSCreator 1.1 Blind SQL Injection

Name WSCreator
Vendor http://www.wscreator.com
Versions Affected 1.1

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2009-12-15

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX

I. ABOUT THE APPLICATION

Based on one of the world's leading structure and content
management systems - WebSiteAdmin, WSCreator (WS standing
for WebSite) is powerful application for handling multiple
websites. This is a commercial application.

II. DESCRIPTION

The email value is not properly sanitised when an INSERT
query is used and this is the cause of the Blind SQL
Injection.

III. ANALYSIS

Summary:

A) Blind SQL Injection

A) Blind SQL Injection

Like I wrote previous, the email field is not properly san
itised, infact if you try to insert an "'", you will obtain
a SQL error message like the following:

You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right
syntax to use near ''','127.0.0.1','1260844198','error','')

The module affected is ADMIN/loginaction.php at line 2.
As you can see, that is a INSERT SQL syntax.

In order to exploit this vulnerability, the flag Magic
Quotes GPG (php.ini) must be Off.

IV. SAMPLE CODE

username: ',(SELECT BENCHMARK(99999999, MD5(0x90))),'','','')#
password: foo

V. FIX

No Fix.

JSON