######################################################################################## #______________________________________________________________________________________ # Exploit Title : Article Script SQL Injection Vulnerability # Exploit Author : Linux Zone Research Team # Vendor Homepage: http://articlesetup.com/ # Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing # Software Link : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip # Date : 15-December-2015 # Version : (Version 1.00) # CVE : NONE # Tested On : Linux - Chrome # Category : Web Application # MY HOME : http://linux-zone.org/Forums - research@linux-zone.org #______________________________________________________________________________________ ####################################################################################### # # localHost/article.php?id=SQL #______________________________________________________________________________________ ## Vulnerability Code <?php include('config.php'); //Create site settings variables $sitequery = 'select * from settings;'; $siteresult = mysql_query($sitequery,$connection) or die(mysql_error()); $siteinfo = mysql_fetch_array($siteresult); $siteurl = $siteinfo['url']; $article = $_GET['id']; if (!is_numeric($article)) { header('Location: '.$siteurl); } else { $sitequery = 'select * from settings;'; $siteresult = mysql_query($sitequery,$connection) or die(mysql_error()); //Create site settings variables $siteinfo = mysql_fetch_array($siteresult); $sitetitle = $siteinfo['title']; $siteurl = $siteinfo['url']; $sitecomments = $siteinfo['comments']; $commentmod = $siteinfo['commentmod']; $query = "select * from articles where status=0 and id = ".$article; $articleresults = mysql_query($query,$connection) or die(mysql_error()); $num_results = mysql_num_rows($articleresults); $articleinfo = mysql_fetch_array($articleresults); if (!$num_results) { header('Location: '.$siteurl); } //Get article info $id = $articleinfo['id']; $authorid = $articleinfo['authorid']; $date = strtotime($articleinfo['date']); $artdate = date('m/d/y', $date); $categoryid = $articleinfo['categoryid']; $title = stripslashes($articleinfo['title']); $body = stripslashes($articleinfo['body']); $resource = $articleinfo['resource']; //Meta Info $cathead = 0; $metatitle = $title." - "; include('header.php'); include('sidebar.php'); if ($seourls == 1) { $scrubtitle = generate_seo_link($title); } // Setup the article template $articletemp = new Template("templates/".$template."/article.tpl"); // get author info $authorquery = "select * from authors where id=".$authorid; $authorresult = mysql_query($authorquery,$connection) or die(mysql_error()); $authorinfo = mysql_fetch_array($authorresult); $authorname = $authorinfo['displayname']; $authorbio = $authorinfo['bio']; $gravatar = $authorinfo['gravatar']; if ($seourls == 1) { $scrubauthor = generate_seo_link($authorname); } // get category info $catquery = "select * from categories where id=".$categoryid; $catresult = mysql_query($catquery,$connection) or die(mysql_error()); $catinfo = mysql_fetch_array($catresult); $categoryname = $catinfo['name']; $catparent = $catinfo['parentid']; if ($seourls == 1) { $scrubcatname = generate_seo_link($categoryname); } // if the category doesn't have a parent if ($catparent == NULL) { if ($seourls == 1) { // With SEO URLS $displaycat = "<a href=\"".$siteurl."/category/".$categoryid."/" .$scrubcatname."/\"><b>".$categoryname."</b></a>"; } else { $displaycat = "<a href=\"".$siteurl."/category.php?id=".$categoryid ."\"><b>".$categoryname."</b></a>"; } // if the category DOES have a parent } else { $query = "select * from categories where id=".$catparent; $result = mysql_query($query,$connection) or die(mysql_error()); $info = mysql_fetch_array($result); $parentname = $info['name']; if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); } if ($seourls == 1) { // With SEO URLS $displaycat = "<a href=\"".$siteurl."/category/".$catparent."/" .$scrubparent."/\"><b>".$parentname."</b></a> > <a href=\"".$siteurl."/category/".$categoryid."/" .$scrubcatname."/\"><b>".$categoryname."</b></a>"; } else { $displaycat = "<a href=\"".$siteurl."/category.php?id=".$catparent ."\"><b>".$parentname."</b></a> > <a href=\"".$siteurl."/category.php?id=".$categoryid ."\"><b>".$categoryname."</b></a>"; } } // Add a view to this article $query = "select * from articleviews where articleid = ".$article; $results = mysql_query($query,$connection) or die(mysql_error()); $viewinfo = mysql_fetch_array($results); if ($viewinfo == NULL) { $sql = "INSERT INTO articleviews VALUES (".$article.", 1)"; $query = mysql_query($sql); } else { $totalviews = $viewinfo['views']; $totalviews++; $sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article.""; $query = mysql_query($sql); } if ($seourls == 1) { // With SEO URLS $authorlink = "<a href=\"".$siteurl."/profile/".$authorid."/".$scrubauthor."/\"><b>".$authorname."</b></a>"; } else { $authorlink = "<a href=\"".$siteurl."/profile.php?a=".$authorid."\"><b>".$authorname."</b></a>"; } // Setup all template variables for display $articletemp->set("authorname", $authorname); $articletemp->set("authorlink", $authorlink); $articletemp->set("date", $artdate); $articletemp->set("displaycat", $displaycat); $articletemp->set("views", $totalviews); $articletemp->set("title", $title); $articletemp->set("body", $body); $articletemp->set("gravatar", $gravatar); $articletemp->set("resource", $resource); // For the adcode $query = "select * from adboxes where id=1;"; $result = mysql_query($query,$connection) or die(mysql_error()); $info = mysql_fetch_assoc($result); $articletemp->set("250adcode", stripslashes($info['adcode'])); // Outputs the homepage template! echo $articletemp->output(); //Displays the comments -- if admin has them enabled if($sitecomments == 0) { echo "<br/><h2>Comments</h2>"; require_once 'comments/classes/Comments.class.php'; /* Article ID which shows the comments */ $post_id = $article; /* Level of hierarchy comments. Infinit if declared NULL */ $level = NULL; /* Number of Supercomments (level 0) to display per page */ $supercomments_per_page = 10000; /* Moderate comments? */ if ($commentmod == 0) { $moderation = true; } else { $moderation = false; } # Setup db config array # $db_config = array("db_name" => $db_name, "db_user" => $dbusername, "db_pass" => $dbpassword, "db_host" => $server ); # Create Object of class comments $comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config); # Display comments # echo $comments->getComments(); } include('rightsidebar.php'); include('obinclude.php'); } ?> ####################################### # # Hassan Shakeri - Mohammad Habili # # Twitter : @ShakeriHassan - Fb.com/General.BlackHat ##########################################################