51 lines
1.5 KiB
Text
Executable file
51 lines
1.5 KiB
Text
Executable file
# Exploit Title: Jaow <= 2.4.5 Blind Sql Injection
|
|
# Google Dork: intext:"propuls? par jaow 2.4.5"
|
|
# Date: 23/05/2012
|
|
# Software Link: http://www.jaow.net/telechargements/Jaow_V2.4.5.zip
|
|
# Version: 2.4.5
|
|
# Tested on: Debian GNU/Linux
|
|
# Author: kallimero
|
|
|
|
|
|
= Introduction =
|
|
|
|
|
|
Jaow is a CMS that can manage sites of small sizes, thanks to its simple,
|
|
commented code you can easily create templates and / or create modules to
|
|
suit your needs. Jaow is the solution for small sites, blogs or portfolio.
|
|
|
|
= Details =
|
|
|
|
Unfortunately, a Blind SQL injection is possible in the 2.4.5 core.
|
|
|
|
Vulnerable page : add_ons.php
|
|
Extract from the source :
|
|
|
|
-------------[ add_ons.php ]--------------
|
|
// On stocke dans une variable simple le add_on demand?
|
|
$add_on = stripslashes($_GET['add_ons']);
|
|
|
|
// On recherche si l'add_on est install?
|
|
|
|
echo 'SELECT id,nom FROM '.$db_prefix.'add_ons WHERE nom="'.$add_on.'"
|
|
AND actif="1"';
|
|
|
|
$query_add_ons = mysql_query('SELECT id,nom FROM '.$db_prefix.'add_ons
|
|
WHERE nom="'.$add_on.'" AND actif="1"');
|
|
|
|
-------------[ add_ons.php ]--------------
|
|
|
|
So, we can inject sql with the add_ons variable, like that :
|
|
http://[site]/[path]/add_ons.php?add_ons=[SQL injection]
|
|
|
|
|
|
= Solutions =
|
|
|
|
Update is avalaible here : http://www.jaow.net/Article-97
|
|
|
|
|
|
= Thanks =
|
|
|
|
Thanks to necromoine, fr0g, st0rn, applestorm, Zhyar, k3nz0, m4ke and all
|
|
hwc-crew members. http://hwc-crew.com/
|
|
And all npn members. http://n-pn.info/
|