WSCreator 1.1 Blind SQL Injection Dec 15 2009 02:48AM
Salvatore Fresta aka Drosophila (drosophilaxxx gmail com)
WSCreator 1.1 Blind SQL Injection

Name WSCreator
Vendor http://www.wscreator.com
Versions Affected 1.1

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2009-12-15

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX

I. ABOUT THE APPLICATION

Based on one of the world's leading structure and content
management systems - WebSiteAdmin, WSCreator (WS standing
for WebSite) is powerful application for handling multiple
websites. This is a commercial application.

II. DESCRIPTION

The email value is not properly sanitised when an INSERT
query is used and this is the cause of the Blind SQL
Injection.

III. ANALYSIS

Summary:

A) Blind SQL Injection

A) Blind SQL Injection

Like I wrote previous, the email field is not properly san
itised, infact if you try to insert an "'", you will obtain
a SQL error message like the following:

You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right
syntax to use near ''','127.0.0.1','1260844198','error','')

The module affected is ADMIN/loginaction.php at line 2.
As you can see, that is a INSERT SQL syntax.

In order to exploit this vulnerability, the flag Magic
Quotes GPG (php.ini) must be Off.

IV. SAMPLE CODE

username: ',(SELECT BENCHMARK(99999999, MD5(0x90))),'','','')#
password: foo

V. FIX

No Fix.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus