Next Page >>
SQL injection
List of found vulnerabilities
===============================================================================
1. Sql Injection vulnerability in "account-inbox.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reasons:
1. unsanitized user submitted parameter "origmsg" is used in sql query
Preconditions:
Description:
Pligg is a popular open source, full featured, content management
system written in php. There are a number of vulnerabilities
within Pligg that allow for remote file enumeration, file inclusion,
cross site scripting, and sql injection. When combined these issues
allow for remote code execution on the affected installation
via arbitrary php code placed within template files once admin
credentials are gained via SQL Injection.
Advisory: IceWarp WebMail Server: SQL Injection in Groupware Component
During a penetration test RedTeam Pentesting discovered multiple
SQL-Injections in the IceWarp WebMail Server. Attackers that are in
control of a user account for the web-based email and groupware
components are able to execute arbitrary SQL SELECT statements and
therefore read any data from the DBMS that are accessible by the Icewarp
eMail Server.
Summary
=======
The Management Center for Cisco Security Agents is affected by a
directory traversal vulnerability and a SQL injection vulnerability.
Successful exploitation of the directory traversal vulnerability may
allow an authenticated attacker to view and download arbitrary files
from the server hosting the Management Center. Successful
exploitation of the SQL injection vulnerability may allow an
authenticated attacker to execute SQL statements that can cause
#!/usr/bin/perl
#-----------------------------------------------------------------
#BLIND SQL INJECTION (GET var 'AlbumID')--RTWebalbum 1.0.462-->
#-----------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://rtwebalbum.x12.pl/
#-->DOWNLOAD: http://sourceforge.net/projects/rtwebalbum/
#-->DEMO: http://rtwebalbum.x12.pl/
CVE IDs in this security advisory:
1) Authentication bypass - CVE-2010-4279
2) OS Command Injection - CVE-2010-4278
3) SQL Injection - CVE-2010-4280
4) Blind SQL Injection - CVE-2010-4280
5) Path Traversal - CVE-2010-4281 - CVE-2010-4282 - CVE-2010-4283
[+] Introduction
phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities
Name phpCollegeExchange
Vendor http://phpcollegeex.sourceforge.net
Versions Affected 0.1.5c
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2009-12-11
#!/usr/bin/perl
#---------------------------------------------------
#BLIND SQL INJECTION EXPLOIT--TemaTres 1.0.3-->
#---------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.r020.com.ar/tematres/
#-->DOWNLOAD: http://sourceforge.net/projects/tematres/
#-->DEMO: http://www.r020.com.ar/tematres/index.php
#!/usr/bin/perl
#
#-------------------------------------------------
# (module custompage.php) BLIND SQL INJECTION
#-------------------------------------------------
#
# CMS INFORMATION:
#
#-->WEB: http://www.clantiger.com
#-->DOWNLOAD: http://www.clantiger.com/download-clan-cms
# GulfTech Security Research August 18, 2008
##########################################################
# Vendor : Turnkey Web Tools, Inc
# URL : http://www.turnkeywebtools.com
# Version : SunShop <= 4.1.4
# Risk : SQL Injection
##########################################################
Description:
SunShop shopping cart is a full featured ecommerce solution written
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: Pooya Site Builder (PSB) SQL Injection Vulnerabilities
# Vendor: www.paridel.com
# Vulnerable Version: 6.0 (Assembly Version)
# Exploit: Available
# Impact: High
# Fix: N/A
a) if webserver directory listing is enabled, then filename can be easily found
b) bruteforce is possible -> ~100 000 tries needed max for filename guessing
###############################################################################
4. SQL Injection in "includes/classes/searchbox.inc.php"
###############################################################################
Reason: failure to sufficiently sanitize user-supplied input data
Attack vector: user submitted GET parameter "max"
Preconditions:
#!/usr/bin/perl
#-----------------------------------------------
#BLIND SQL INJECTION--Leap CMS 0.1.4-->
#-----------------------------------------------
#
# CMS INFORMATION:
#
#-->WEB: http://leap.gowondesigns.com/
#-->DEMO: http://php.opensourcecms.com/scripts/details.php?scriptid=161&name=Leap
#-->CATEGORY: CMS / Lite
#------------
#
#magic quotes=OFF
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#POST http://[HOST]/[PATH]/index.php HTTP/1.1
#Host: [HOST]
#User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
#-------
#
#Valid username
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#POST http://[HOST]/[PATH]/plugin.php?page=your_account.php&mode=passlost HTTP/1.1
#Host: [HOST]
#User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
- Severity: Moderately High
=============================================
I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection
II. BACKGROUND
-------------------------
Invision Power Board (IPB) is a professional forum system that has
II. DESCRIPTION
This CMS is affected by multiple remote security flaws,
such as SQL Injection, Arbitrary File upload, etc.
These security flaws DO NOT require authentication. Other
files may be vulnerable.
III. ANALYSIS
[waraxe-2008-SA#069] - Multiple Sql Injection in vBulletin 3.7.4
===============================================================================
Author: Janek Vind "waraxe"
Date: 17. November 2008
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-69.html
- Severity: 8.5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
WP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities
II. BACKGROUND
-------------------------
WP-Forum is a discussion forum plugin for WordPress. It works with
WordPress 2+ version and PHP >= 5.0
#!/usr/bin/perl
#
#
#------------------------------------------------------------------------------------------
#(GET var 'id') BLIND SQL INJECTION EXPLOIT --Dog Pedigree Online Database v1.0.1-Beta -->
#------------------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://thewhippetarchives.net/twa_is_offline.php
#
# CMS VULNERABILITY:
#
#-->TESTED ON: firefox 3
#-->DORK: N/A
#-->CATEGORY: BLIND SQL INJECTION/ PERL EXPLOIT
#-->AFFECT VERSION: LAST = 1.2 BETA (Maybe <= ?)
#-->Discovered Bug date: 2009-04-20
#-->Reported Bug date: 2009-04-20
#-->Fixed bug date: Not fixed
#-->Info patch (????): Not fixed
Application: BlogMan
http://sourceforge.net/projects/blogman/
Version: 0.45
Bug: * Multiple SQL Injection
* Authentication Bypass
* Privilege Escalation
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
8- [User] can delete all of gateway information.
9- [User] can enable or disable pay type.
10- [[User] can see all usernames in the server by "fp2000/NEWSRVR.asp".
Released on: 2007/12/16
Changelog: 2007/12/16
Summary: [HT] Remote File Inclusion
[MT] SQL Injection
[MT] SQL Injection Protection Bypass
[__] Conclusion
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
_____________
Summary:
A) Multiple Remote Command Execution
B) Multiple SQL Injection
C) Multiple Blind SQL Injection
D) XSS
A) Multiple Remote Command Execution
Amblog 1.0 Joomla Component Multiple SQL Injection Vulnerabilities
Name Amblog
Vendor http://robitbt.hu
Versions Affected 1.0
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-08-10
good example of this. Its impossible to account for all the ways a variable can be mangled once it
enters a program and if you Sanitize input when it first enters the program there will be cases where it
will become dangerous again. This isn't only a problem for SQLi, its also a problem for XSS. I am
inserting JS into the database, which isn't a vulnerablity, but printing it, is persistant XSS.
The blind sql injection is a bit strange. I can't use white space or commas, which is a pain. I had to
rewrite my general purpose Blind SQLi Class to accommodate. A binary search is used to greatly
speed up the blind sqli attack.
(which I also used in my php-nuke exploit: http://www.exploit-db.com/exploits/12510/)
Special thanks to Reiners for this sqli filter evasion cheat sheet:
Release Type: Co-ordinated, responsible disclosure
2. Vulnerability Information
----------------------------------------------------------------------------------------------
Class: SQL Injection, Insecure File Upload, Cross Site Scripting,
Filepath Disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
#!/usr/bin/perl
#---------------------------------------------------------------------------
#(POST var 'rating') BLIND SQL INJECTION--microTopic v1 Initial Release-->
#---------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://sourceforge.net/projects/microtopic/
#-->DOWNLOAD: http://sourceforge.net/projects/microtopic/
#-->DEMO: N/A
eoCMS SQL injection vulnerability
1. General information
eoCMS is an open source code software which is used to develop Internet
forum (http://eocms.com/). On October 15, 2009, Bkis Security detected a
SQL injection vulnerability in some functions of eoCMS.
This is a critical vulnerability which allows hacker to access the data
in the database and execute unauthorized tasks. Bkis has informed the
Next Page>>
|
