SHARE
TWEET

Assesi Serviço de Informação Cidadão e-Sic Brazil SQL Inj

KingSkrupellos Apr 24th, 2019 (edited) 61 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###################################################################
  2.  
  3. # Exploit Title : Assesi Serviço de Informação Cidadão e-Sic Brazil SQL Injection
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 25/04/2019
  7. # Vendor Homepage : esic.cgu.gov.br - acessoainformacao.gov.br - assesi.com.br
  8. # Tested On : Windows and Linux
  9. # Category : WebApps
  10. # Exploit Risk : Medium
  11. # Google Dorks : inurl:/materias.php?id= site:gov.br  intext:Erro ao executar a query:
  12. # Vulnerability Type : CWE-89 [ Improper Neutralization of
  13. Special Elements used in an SQL Command ('SQL Injection') ]
  14. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  15. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  16. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  17.  
  18. ###################################################################
  19.  
  20. # Impact :
  21. ***********
  22. Assesi Serviço de Informação Cidadão e-Sic Brazil is prone to an
  23.  
  24. SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data
  25.  
  26. before using it in an SQL query. Exploiting this issue could allow an attacker to
  27.  
  28. compromise the application, access or modify data, or exploit latent vulnerabilities
  29.  
  30. in the underlying database. A remote attacker can send a specially crafted request
  31.  
  32. to the vulnerable application and execute arbitrary SQL commands in
  33.  
  34. application`s database. Further exploitation of this vulnerability may result in
  35.  
  36. unauthorized data manipulation. An attacker can exploit this issue using a
  37.  
  38. browser or with any SQL Injector Tool.
  39.  
  40. ###################################################################
  41.  
  42. # SQL Injection Exploit :
  43. **********************
  44. /materias.php?id=[SQL Injection]
  45.  
  46. ###################################################################
  47.  
  48. # Example Vulnerable Sites :
  49. *************************
  50. [+] camaraoros.ce.gov.br/materias.php?id=1
  51.  
  52. [+] camarameruoca.ce.gov.br/materias.php?id=298
  53.  
  54. [+] camaraico.ce.gov.br/materias.php?id=17
  55.  
  56. [+] camarafaro.pa.gov.br/materias.php?id=119
  57.  
  58. [+] camarairapuanpinheiro.ce.gov.br/materias.php?id=98
  59.  
  60. [+] cmacarau.ce.gov.br/materias.php?id=345
  61.  
  62. [+] camarataua.ce.gov.br/materias.php?id=2122
  63.  
  64. ###################################################################
  65.  
  66. # Example SQL Database Error :
  67. ****************************
  68. Erro ao executar a query: You have an error in your SQL syntax; check the manual
  69. that corresponds to your MySQL server version for the right syntax to use near '' at line 1
  70.  
  71. ###################################################################
  72.  
  73. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  74.  
  75. ###################################################################
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top