ArticleLive 1.7.1.2 'blogs.php?Id' SQL Injection Explained

What this paper is

This paper details a SQL injection vulnerability found in ArticleLive version 1.7.1.2. The vulnerability exists in the blogs.php script, specifically when handling the Id parameter. The author, BAYBORA, demonstrates how an attacker can exploit this to extract user credentials (username and password) from the ArticleLive_users table.

Simple technical breakdown

The core of the vulnerability lies in how the web application processes the Id parameter in blogs.php. Instead of properly sanitizing or validating the input, the application directly incorporates it into a SQL query. This allows an attacker to inject malicious SQL code.

The exploit uses a UNION SELECT statement. This is a common SQL injection technique that allows an attacker to combine the results of their injected query with the results of the original, legitimate query. In this case, the attacker manipulates the query to select specific data (username and password) from the ArticleLive_users table and display it as part of the web page's output.

Complete code and payload walkthrough

The provided exploit is a URL string that demonstrates the SQL injection. There is no separate code or payload in the traditional sense (like C code or shellcode bytes) within this paper. The "code" is the crafted URL.

Let's break down the exploit URL:

http://server/[path]//blogs.php?id=-768+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,144,15,16,17,18,19,20,21,22,23,24,25,26,27+from+ArticleLive_users+limit+01--

http://server/[path]//blogs.php?id=: This is the base URL pointing to the vulnerable script. server and [path] are placeholders for the actual server address and application path. The id= parameter is where the injection occurs.
-768: This is a numerical value that is likely intended to be part of the original query's WHERE clause. By providing a value that probably won't match any existing Id, the original query will likely return no results. This is a common tactic to ensure the UNION SELECT part of the query dominates the output.
+union+select+: This is the core of the injection.
- UNION: This SQL operator combines the result set of two or more SELECT statements.
- SELECT: This keyword initiates a query to retrieve data.
- The + symbols represent URL-encoded spaces.
1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,144,15,16,17,18,19,20,21,22,23,24,25,26,27: This is the crucial part of the UNION SELECT statement.
- The numbers (1, 3, 4, etc.) represent the columns that the attacker expects the original query to return. The attacker needs to match the number of columns to avoid a SQL error.
- concat(username,0x3a,password): This is the most important injected element.
  - concat(): This is a SQL function that concatenates (joins) strings.
  - username: This refers to the username column in the ArticleLive_users table.
  - 0x3a: This is the hexadecimal representation of the colon character (:). It's used as a separator between the username and password.
  - password: This refers to the password column in the ArticleLive_users table.
  - The goal here is to create a single string that contains the username, a colon, and the password. This combined string will be displayed in one of the columns of the output.
+from+ArticleLive_users+: This specifies the table from which to retrieve the data.
- ArticleLive_users: This is the name of the table containing user credentials.
limit+01: This clause limits the number of rows returned by the UNION SELECT statement to one. The attacker is likely interested in just one set of credentials to start.
--: This is a SQL comment indicator. It comments out the rest of the original SQL query that might follow the Id parameter. This prevents syntax errors and ensures only the injected query is executed.

Mapping list:

blogs.php?id= -> Vulnerable script endpoint and parameter.
-768 -> Placeholder value to likely nullify original query results.
union select -> SQL operator to combine query results.
1, 3, 4, ... 27 -> Placeholder column values to match original query's column count.
concat(username,0x3a,password) -> Injected SQL function to extract and format user credentials.
ArticleLive_users -> Target table containing sensitive user data.
limit 01 -> Restricts the output to a single record.
-- -> SQL comment to ignore remaining parts of the original query.

Practical details for offensive operations teams

Required Access Level: Typically, no elevated privileges are needed beyond the ability to interact with the web application as a regular user. The vulnerability is in the web interface itself.
Lab Preconditions:
- A running instance of ArticleLive version 1.7.1.2 (or a demonstrably vulnerable earlier version) is required.
- The web server must be accessible and configured to run the ArticleLive application.
- A database must be configured and populated with at least one user in the ArticleLive_users table.
Tooling Assumptions:
- A web browser for manual testing or reconnaissance.
- A web proxy like Burp Suite or OWASP ZAP is highly recommended for intercepting, modifying, and replaying HTTP requests. This makes crafting and testing the exploit URL much easier.
- SQL injection tools (e.g., sqlmap) could potentially automate this, but understanding the manual exploit is crucial.
Execution Pitfalls:
- Column Count Mismatch: If the original query in blogs.php returns a different number of columns than what the attacker specifies in the UNION SELECT statement, the query will fail with a SQL error. The attacker must enumerate the correct number of columns.
- Web Application Firewall (WAF): Modern WAFs can detect and block common SQL injection patterns like UNION SELECT. The attacker might need to employ evasion techniques (e.g., character encoding, case variations, alternative syntax).
- Database Configuration: If the ArticleLive_users table is not accessible or doesn't exist, or if the database user running the web application lacks sufficient privileges to query it, the exploit will fail.
- Application Logic: The blogs.php script might have additional logic that filters or sanitizes the Id parameter in ways not immediately obvious from the exploit URL.
- URL Encoding: Spaces and special characters in the exploit URL must be correctly URL-encoded (e.g., + for space, %27 for apostrophe).
Tradecraft Considerations:
- Reconnaissance: Before attempting exploitation, understand the application's structure, identify the target script (blogs.php), and the vulnerable parameter (Id).
- Enumeration: If the exact column count is unknown, an attacker would first perform column enumeration (e.g., id=1 UNION SELECT NULL,NULL,NULL...) to find the correct number. Then, they would test which column is suitable for displaying concatenated data.
- Payload Delivery: The extracted credentials can be used to log into the admin panel (http://server/[path]/admin/).
- Stealth: Minimize noisy requests. Use comments (--) to avoid syntax errors. Be aware of logging on the web server and database.

Where this was used and when

Context: This exploit targets the ArticleLive Content Management System (CMS), specifically its blog functionality. The goal is to gain administrative access to the website.
Approximate Year: The paper was published on January 1, 2010. Therefore, this vulnerability was actively being discussed and likely exploited around 2010. It's possible it existed in earlier versions and was patched in later ones.

Defensive lessons for modern teams

Input Validation and Sanitization: This is the most critical defense. Never trust user input. All data coming from the client-side (URL parameters, form fields, cookies, etc.) must be strictly validated and sanitized before being used in database queries. Use parameterized queries (prepared statements) as they inherently separate code from data.
Least Privilege Principle: The database user account running the web application should have only the minimum necessary privileges. It should not have permissions to query sensitive tables like user credential stores unless absolutely required for its core function.
Web Application Firewalls (WAFs): Implement and properly configure WAFs to detect and block common attack patterns, including SQL injection. Keep WAF rules updated.
Regular Patching and Updates: Keep all web applications, CMS platforms, and their underlying frameworks updated to the latest versions. Vendors often release patches for known vulnerabilities.
Secure Coding Practices: Train developers on secure coding principles, including the dangers of SQL injection and how to prevent it using secure API calls and frameworks.
Database Auditing and Monitoring: Monitor database logs for suspicious queries or access patterns that might indicate an attempted or successful SQL injection.

ASCII visual (if applicable)

This exploit is a direct manipulation of a web request and its interaction with the backend. An ASCII visual can represent the flow of data.

+-----------------+      +-------------------+      +-----------------+      +-----------------+
| Attacker's      |----->| Web Browser       |----->| Web Server      |----->| Database Server |
| Machine         |      | (Crafted Request) |      | (ArticleLive)   |      | (ArticleLive_db)|
+-----------------+      +-------------------+      +-------+---------+      +--------+--------+
                                                              |
                                                              | (Vulnerable blogs.php)
                                                              |
                                                              v
                                                     +-------------------+
                                                     | SQL Query Builder |
                                                     +-------------------+
                                                              |
                                                              | (Injects: UNION SELECT...)
                                                              v
                                                     +-------------------+
                                                     | Malicious SQL     |
                                                     | Query             |
                                                     +-------------------+
                                                              |
                                                              v
                                                     +-------------------+
                                                     | Data Extraction   |
                                                     | (username:password)|
                                                     +-------------------+

Source references

Paper ID: 10884
Paper Title: ArticleLive 1.7.1.2 - 'blogs.php?Id' SQL Injection
Author: BAYBORA
Published: 2010-01-01
Paper URL: https://www.exploit-db.com/papers/10884
Raw Exploit URL: https://www.exploit-db.com/raw/10884

Original Exploit-DB Content (Verbatim)

*******************************************************************************
# Author   : Baybora
# Product  : ArticleLive (Interspire Website Publisher)
# Version  : NX.1.7.1.2 (and possibly earlier versions)
# Download : http://www.interspire.com/
# Price    : $ 249
# Site     : www.1923turk.biz

 
Vulnerable script: blogs.php?Id = (SQL-injection)

---------------------------------------------------------


http://server/[path]//blogs.php?id=  [SQL Inject]


blogs.php?id=-768+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,144,15,16,17,18,19,20,21,22,23,24,25,26,27+from+ArticleLive_users+limit+01--


Admin Login->


http://server/[path]/admin/


"""""""""""""""""""""

Gamoscu - Manas58 - Delibey - Tiamo - Psiko - Turco - infazci - X-TRO

By exploitdb papers bot•January 1, 2010•

papers