My first CVE-2016-1000329 in BlogPHP

While the affected software, BlogPHP isn’t in widespread use (at least I hope not!) and it’s outdated and abandoned by the developer, this find means a lot to me because it’s my first CVE. This vulnerability has also been overlooked by many people for years, including those that worked on the Breach 2.1 vulnhub challenge. Breach 2.1 is a boot2root/CTF challenge which attempts to showcase a real-world scenario penetration test. My full write-up of my pentest of Breach can be found here.

I used a XSS exploit to steal the admin’s cookie which should have allowed me to login as admin but it didn’t work. Knowing that the admin user was logging in to a blog hosted on the same host I decided to take a look at the HTTP headers to see if I needed to change something in the “Referer” field in order for the stolen cookie to allow me to login as admin. I initially tried changing it to localhost and 127.0.0.1 with no success.

While fuzzing the HTTP header “Referer” field I discovered a blind SQL injection. Using an input of ‘+(select*from(select(sleep(20)))a)+’ including single quotes results in a delay of 20 seconds to page render. I was able to further exploit the vulnerability using sqlmap. I saved the request from Burp Suite to a text file and exploited it with sqlmap using “sqlmap -r req.txt –level=5 –risk=3”.

I submitted my CVE request through Mitre who notified me that “The Distributed Weakness Filing (DWF) Project is the CVE Numbering
Authority (CNA) currently responsible for assigning CVE IDs to open
source software vulnerabilities that are outside of the current CVE
coverage goals listed at
http://cve.mitre.org/cve/data_sources_product_coverage.html.”

CVE listing for CVE-2016-1000329 on DWF.