exploit-db-mirror/exploits/php/webapps/38990.txt

########################################################################################

#______________________________________________________________________________________

# Exploit Title  : Article Script SQL Injection Vulnerability

# Exploit Author : Linux Zone Research Team

# Vendor Homepage: http://articlesetup.com/

# Google Dork    : inurl:/article.php?id= intext:Powered By Article Marketing

# Software Link  : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip

# Date           : 15-December-2015

# Version        : (Version 1.00)

# CVE            : NONE

# Tested On      : Linux - Chrome

# Category       : Web Application

# MY HOME        : http://linux-zone.org/Forums - research@linux-zone.org

#______________________________________________________________________________________

#######################################################################################

#

# localHost/article.php?id=SQL

#______________________________________________________________________________________

## Vulnerability Code

<?php

include('config.php');



//Create site settings variables

$sitequery = 'select * from settings;';

$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());

$siteinfo = mysql_fetch_array($siteresult);

$siteurl = $siteinfo['url'];



$article = $_GET['id'];



if (!is_numeric($article)) {

header('Location: '.$siteurl);

}



else



{



$sitequery = 'select * from settings;';

$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());



//Create site settings variables

$siteinfo = mysql_fetch_array($siteresult);

$sitetitle = $siteinfo['title'];

$siteurl = $siteinfo['url'];

$sitecomments = $siteinfo['comments'];

$commentmod = $siteinfo['commentmod'];



$query = "select * from articles where status=0 and id = ".$article;



$articleresults = mysql_query($query,$connection) or die(mysql_error());

$num_results = mysql_num_rows($articleresults);

$articleinfo = mysql_fetch_array($articleresults);



if (!$num_results) {

header('Location: '.$siteurl);

}



//Get article info

$id = $articleinfo['id'];

$authorid = $articleinfo['authorid'];

$date = strtotime($articleinfo['date']);

$artdate = date('m/d/y', $date);

$categoryid = $articleinfo['categoryid'];

$title = stripslashes($articleinfo['title']);

$body = stripslashes($articleinfo['body']);

$resource = $articleinfo['resource'];





//Meta Info

$cathead = 0;

$metatitle = $title." - ";

include('header.php');

include('sidebar.php');





if ($seourls == 1) { $scrubtitle = generate_seo_link($title); }





// Setup the article template

$articletemp = new Template("templates/".$template."/article.tpl");



// get author info

$authorquery = "select * from authors where id=".$authorid;

$authorresult = mysql_query($authorquery,$connection) or die(mysql_error());

$authorinfo = mysql_fetch_array($authorresult);

$authorname = $authorinfo['displayname'];

$authorbio = $authorinfo['bio'];

$gravatar = $authorinfo['gravatar'];

if ($seourls == 1) { $scrubauthor = generate_seo_link($authorname); }



// get category info

$catquery = "select * from categories where id=".$categoryid;

$catresult = mysql_query($catquery,$connection) or die(mysql_error());

$catinfo = mysql_fetch_array($catresult);

$categoryname = $catinfo['name'];

$catparent = $catinfo['parentid'];

if ($seourls == 1) { $scrubcatname = generate_seo_link($categoryname); }



// if the category doesn't have a parent

if ($catparent == NULL) {

if ($seourls == 1) { // With SEO URLS

$displaycat = "<a href=\"".$siteurl."/category/".$categoryid."/"

.$scrubcatname."/\"><b>".$categoryname."</b></a>";

} else {

$displaycat = "<a href=\"".$siteurl."/category.php?id=".$categoryid

."\"><b>".$categoryname."</b></a>";

}



// if the category DOES have a parent

} else {

$query = "select * from categories where id=".$catparent;

$result = mysql_query($query,$connection) or die(mysql_error());

$info = mysql_fetch_array($result);

$parentname = $info['name'];

if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); }



if ($seourls == 1) { // With SEO URLS

$displaycat = "<a href=\"".$siteurl."/category/".$catparent."/"

.$scrubparent."/\"><b>".$parentname."</b></a> >

<a href=\"".$siteurl."/category/".$categoryid."/"

.$scrubcatname."/\"><b>".$categoryname."</b></a>";

} else {

$displaycat = "<a href=\"".$siteurl."/category.php?id=".$catparent

."\"><b>".$parentname."</b></a> >

<a href=\"".$siteurl."/category.php?id=".$categoryid

."\"><b>".$categoryname."</b></a>";

}

}





// Add a view to this article

$query = "select * from articleviews where articleid = ".$article;

$results = mysql_query($query,$connection) or die(mysql_error());

$viewinfo = mysql_fetch_array($results);

if ($viewinfo == NULL) {

$sql = "INSERT INTO articleviews VALUES (".$article.", 1)";

$query = mysql_query($sql);

} else {

$totalviews = $viewinfo['views'];

$totalviews++;



$sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article."";

$query = mysql_query($sql);

}



if ($seourls == 1) { // With SEO URLS

$authorlink = "<a href=\"".$siteurl."/profile/".$authorid."/".$scrubauthor."/\"><b>".$authorname."</b></a>";

} else {

$authorlink = "<a href=\"".$siteurl."/profile.php?a=".$authorid."\"><b>".$authorname."</b></a>";

}



// Setup all template variables for display

$articletemp->set("authorname", $authorname);

$articletemp->set("authorlink", $authorlink);

$articletemp->set("date", $artdate);

$articletemp->set("displaycat", $displaycat);

$articletemp->set("views", $totalviews);

$articletemp->set("title", $title);

$articletemp->set("body", $body);

$articletemp->set("gravatar", $gravatar);

$articletemp->set("resource", $resource);



// For the adcode

$query = "select * from adboxes where id=1;";

$result = mysql_query($query,$connection) or die(mysql_error());

$info = mysql_fetch_assoc($result);

$articletemp->set("250adcode", stripslashes($info['adcode']));





// Outputs the homepage template!



echo $articletemp->output();



//Displays the comments -- if admin has them enabled



if($sitecomments == 0) {

echo "<br/><h2>Comments</h2>";



require_once 'comments/classes/Comments.class.php';



/* Article ID which shows the comments */

$post_id = $article;



/* Level of hierarchy comments. Infinit if declared NULL */

$level = NULL;



/* Number of Supercomments (level 0) to display per page */

$supercomments_per_page = 10000;



/* Moderate comments? */

if ($commentmod == 0) {

$moderation = true;

} else {

$moderation = false;

}



# Setup db config array #

$db_config = array("db_name" => $db_name,

"db_user" => $dbusername,

"db_pass" => $dbpassword,

"db_host" => $server );



# Create Object of class comments

$comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config);



# Display comments #

echo $comments->getComments();

}



include('rightsidebar.php');

include('obinclude.php');



}



?>



#######################################

#

# Hassan Shakeri - Mohammad Habili

#

# Twitter : @ShakeriHassan - Fb.com/General.BlackHat

##########################################################