Exploit Discoverd By Novalok & Kasper Of KasaNova Security
Coded By A Friend
<?php
Explanation And Proof:
File: db.inc.php
There Are most likly More injrctions. But this was all
i found. I Didn not try to exploit. Just tryied to find it
-Novalok
KasaNova Secuirty
*/
$query = $_POST["query"];
$target = $_POST["target"];
$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
."target:<br><input type=\"text\" name=\"target\" size=\"90\"
value=\"".$target."\"><br>"
."query:<br><input type=\"text\" name=\"query\" size=\"90\"
value=\"\"><br>"
."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";
if (!isset($_POST['submit']))
{
echo $form;
}else{
//Building Raw Byte Packet
//Needed For Blind SQL Injection
$packetr = "5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm9uPbiBWdWxuZXF"
."xcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlIGhhcXFxcyBub"
."yBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmcgYWJvdXQuIGx"
."vbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW9yb249uIFZ1b"
."G5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQgaGUgaGFxcXF"
."zIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa2luZyBhYm91d"
."C4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbj24"
."gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vIGJhZCBoZSBoY"
."XFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB0YWxraW5nIGF"
."ib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm"
."9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGh"
."lIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpb"
."mcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcg"
."bW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiY"
."WQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGF"
."sa2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2"
."luZyBtb3JvZOb3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbu"
."PbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlI"
."GhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmc"
."gYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW"
."9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQ"
."gaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa"
."2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2lu"
."ZyBtb3Jvbj24gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vI"
."GJhZCBoZSBoYXFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB"
."0YWxraW5nIGFib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdW"
."NraW5nIG1vcm9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB"
."0b28gYmFkIGhlIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxc"
."XFzIHRhbGtpbmcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBh"
."IGZ1Y2tpbmcgbW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgY"
."nV0IHRvbyBiYWQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCB"
."oZXFxcXMgdGFsa2luZyBhYm91dC4gbG9sb2w==";
//Sending Raw Request via Base64_Decode Request Method
$result = base64_decode($packetr);
if (!$result) {
echo "<p>Unable to get output of query. Try Another Query or Server May
be Down\n";
exit;
}else{
echo "Raw Ouput From Server:<br><br>".$result;
}
echo $form;
}
?>