######################################################################################## #______________________________________________________________________________________ # Exploit Title : Article Script SQL Injection Vulnerability # Exploit Author : Linux Zone Research Team # Vendor Homepage: http://articlesetup.com/ # Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing # Software Link : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip # Date : 15-December-2015 # Version : (Version 1.00) # CVE : NONE # Tested On : Linux - Chrome # Category : Web Application # MY HOME : http://linux-zone.org/Forums - research@linux-zone.org #______________________________________________________________________________________ ####################################################################################### # # localHost/article.php?id=SQL #______________________________________________________________________________________ ## Vulnerability Code ".$categoryname.""; } else { $displaycat = "".$categoryname.""; } // if the category DOES have a parent } else { $query = "select * from categories where id=".$catparent; $result = mysql_query($query,$connection) or die(mysql_error()); $info = mysql_fetch_array($result); $parentname = $info['name']; if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); } if ($seourls == 1) { // With SEO URLS $displaycat = "".$parentname." > ".$categoryname.""; } else { $displaycat = "".$parentname." > ".$categoryname.""; } } // Add a view to this article $query = "select * from articleviews where articleid = ".$article; $results = mysql_query($query,$connection) or die(mysql_error()); $viewinfo = mysql_fetch_array($results); if ($viewinfo == NULL) { $sql = "INSERT INTO articleviews VALUES (".$article.", 1)"; $query = mysql_query($sql); } else { $totalviews = $viewinfo['views']; $totalviews++; $sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article.""; $query = mysql_query($sql); } if ($seourls == 1) { // With SEO URLS $authorlink = "".$authorname.""; } else { $authorlink = "".$authorname.""; } // Setup all template variables for display $articletemp->set("authorname", $authorname); $articletemp->set("authorlink", $authorlink); $articletemp->set("date", $artdate); $articletemp->set("displaycat", $displaycat); $articletemp->set("views", $totalviews); $articletemp->set("title", $title); $articletemp->set("body", $body); $articletemp->set("gravatar", $gravatar); $articletemp->set("resource", $resource); // For the adcode $query = "select * from adboxes where id=1;"; $result = mysql_query($query,$connection) or die(mysql_error()); $info = mysql_fetch_assoc($result); $articletemp->set("250adcode", stripslashes($info['adcode'])); // Outputs the homepage template! echo $articletemp->output(); //Displays the comments -- if admin has them enabled if($sitecomments == 0) { echo "

Comments

"; require_once 'comments/classes/Comments.class.php'; /* Article ID which shows the comments */ $post_id = $article; /* Level of hierarchy comments. Infinit if declared NULL */ $level = NULL; /* Number of Supercomments (level 0) to display per page */ $supercomments_per_page = 10000; /* Moderate comments? */ if ($commentmod == 0) { $moderation = true; } else { $moderation = false; } # Setup db config array # $db_config = array("db_name" => $db_name, "db_user" => $dbusername, "db_pass" => $dbpassword, "db_host" => $server ); # Create Object of class comments $comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config); # Display comments # echo $comments->getComments(); } include('rightsidebar.php'); include('obinclude.php'); } ?> ####################################### # # Hassan Shakeri - Mohammad Habili # # Twitter : @ShakeriHassan - Fb.com/General.BlackHat ##########################################################