what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SphereCMS 1.1 Alpha Blind SQL Injection

SphereCMS 1.1 Alpha Blind SQL Injection
Posted Feb 19, 2010
Authored by AmnPardaz Security Research Team | Site bugreport.ir

SphereCMS version 1.1 Alpha suffers from a remote blind SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | 9431cbe88f2428736d7c267ae83535ba81f25462355a52476e9c29052d518294

SphereCMS 1.1 Alpha Blind SQL Injection

Change Mirror Download
##########################www.BugReport.ir########################################
#
# AmnPardaz Security Research Team
#
# Title: SphereCMS Blind SQL Injection Vulnerability
# Vendor: http://sphere.xlentprojects.se/
# Vulnerable Version: 1.1 alpha (Latest version till now)
# Exploitation: Remote with browser
# Fix: N/A
###################################################################################

####################
- Description:
####################

SphereCMS is a CMS which allow managing forum, archive posts, chat like
posts (named shoutbox), friend in the site and personal profile. It has
one theme, but a buty one.
It uses MySQL as its backend DBMS and is written in PHP language.


####################
- Vulnerability:
####################

+--> Blind SQL Injection
The archive page is vulnerable to SQL injection. The GET variable,
namely 'view',
is not sanitized correctly in the SQL query. This hole can be used
for extracting
admin password. For deatils see 'Exploits' section.

####################
- Exploits/PoCs:
####################

+--> Exploiting The (MySQL) Blind SQL Injection:
The GET variavle 'view' in archive madule can be used for hacking process.
Check URI 'example.com/archive.php?view=***'; SQL query can be placed
at '***'.
The users password is stored in `xcms_members` table. For extracting
password of 'Admin'
we could use following SQL injection vector:
?view=17' AND EXISTS
(/*%00*/SELECT * FROM xcms_members
WHERE username='Admin'
AND substr(/*%00*/password,#,1)='@') AND '1'='1
replacing # with 1, 2, 3, ... and @ with different characters. The
result page will show
the archive post with id '17' on correct and show no archive post if
@ was wrong.
So the password can be extracted in O(length of encrypted pass)=O(1).

+++ Special Technique for Bypassing SphereCMS Security Check:
SphereCMS checks all of parameters including 'view' GET parameter
before doing any
process. In these checks, any parameter which has a pattern like
"(*)" will result
to "die ()". Also we can not check the password words without
parenthesizes (it is
required for substr function and there are no substitute solution).

For bypassing this check, I consider MySQL and PHP together. The PHP
functions will consider
all strings JUST untill first null character. Also MySQL support
comment syntax
like /* the comment */ and before executing any SQL query, these
comments will be removed
from the query by MySQL.
Thus I place a null character within MySQL comment right after each
open parenthesis. So
when PHP search for parenthesises, it find nothing since it reaches
null and finish searching.
Also when query is going to be executed, the null character will be
removed within the comment
(see the '(/*%00*/' in the above SQL injection vector).

####################
- Solution:
####################

The parameters must be sanitized using the context sensitive
sanitizing function provided
by MySQL (mysql_real_escape_string), instead of manual sanitizing
which is usually error prone.

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_68.htm

####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close