Exploit Discoverd By Novalok &amp; Kasper Of KasaNova Security<br>Coded By A Friend<br>&lt;?php<br><br>/*<br>Vendor : Devellion Limited 2006<br>Exploit:&nbsp; Blind SQL injection (look below for more info)<br>Impact: **** of *****
<br>Discovered by: KasaNova Security<br>--------------------------------------------------------------------------------<br>Explanation And Proof:<br><br>File: db.inc.php <br><br>the $query= is not protected efficiently accepting blind SQL injections.
<br>We can tell this becuase when tested on <a href="http://milliemoos.com">milliemoos.com</a><br>With String &quot;GET /classes/db.inc.php?SELECT%20cat_father_id%20FROM%20%22.<br>&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;$glob['CubeCart'].%22CubeCart_category%20WHERE%20cat_id%20=68;&quot;
<br>I get a 200 Http OK reply. I can see this from the packets<br>-------------------------------------------------------------------------------<br><br>There Are most likly More injrctions. But this was all <br>i found. I Didn not try to exploit. Just tryied to find it 
<br><br>-Novalok<br><br>KasaNova Secuirty<br><br>*/<br><br>$query = $_POST[&quot;query&quot;];<br>$target = $_POST[&quot;target&quot;];<br><br>$form= &quot;&lt;form method=\&quot;post\&quot; action=\&quot;&quot;.$PHP_SELF.&quot;\&quot;&gt;&quot;
<br>&nbsp;&nbsp;&nbsp; .&quot;target:&lt;br&gt;&lt;input type=\&quot;text\&quot; name=\&quot;target\&quot; size=\&quot;90\&quot; value=\&quot;&quot;.$target.&quot;\&quot;&gt;&lt;br&gt;&quot;<br>&nbsp;&nbsp;&nbsp; .&quot;query:&lt;br&gt;&lt;input type=\&quot;text\&quot; name=\&quot;query\&quot; size=\&quot;90\&quot; value=\&quot;\&quot;&gt;&lt;br&gt;&quot;
<br>&nbsp;&nbsp;&nbsp; .&quot;&lt;input type=\&quot;submit\&quot; value=\&quot;Submit\&quot; name=\&quot;submit\&quot;&gt;&quot;<br>&nbsp;&nbsp;&nbsp; .&quot;&lt;/form&gt;&lt;HR WIDTH=\&quot;650\&quot; ALIGN=\&quot;LEFT\&quot;&gt;&quot;;<br><br>if (!isset($_POST['submit'])) 
<br>{<br><br>echo $form;<br><br>}else{<br><br>//Building Raw Byte Packet<br>//Needed For Blind SQL Injection<br><br>$packetr = &quot;5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm9uPbiBWdWxuZXF&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;xcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlIGhhcXFxcyBub&quot;
<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;yBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmcgYWJvdXQuIGx&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;vbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW9yb249uIFZ1b&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;G5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQgaGUgaGFxcXF&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;zIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa2luZyBhYm91d&quot;
<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;C4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbj24&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vIGJhZCBoZSBoY&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;XFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB0YWxraW5nIGF&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;ib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdWNraW5nIG1vcm&quot;
<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGh&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;lIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpb&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;mcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcg&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;bW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiY&quot;
<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;WQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGF&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;sa2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;luZyBtb3JvZOb3ZhbG9rIGlzIGEgZnVja2luZyBtb3Jvbu&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;PbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB0b28gYmFkIGhlI&quot;
<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;GhhcXFxcyBubyBpZGVhIHdoYXQgaGVxcXFzIHRhbGtpbmc&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;gYWJvdXQuIGxvbG9vm92YWxvayBpcyBhIGZ1Y2tpbmcgbW&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgYnV0IHRvbyBiYWQ&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;gaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCBoZXFxcXMgdGFsa&quot;
<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;2luZyBhYm91dC4gbG9sb2+b3ZhbG9rIGlzIGEgZnVja2lu&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;ZyBtb3Jvbj24gVnVsbmVxcXFyYWJpbGl0eSBidXQgdG9vI&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;GJhZCBoZSBoYXFxcXMgbm8gaWRlYSB3aGF0IGhlcXFxcyB&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;0YWxraW5nIGFib3V0LiBsb2xvb5vdmFsb2sgaXMgYSBmdW&quot;
<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;NraW5nIG1vcm9uPbiBWdWxuZXFxcXJhYmlsaXR5IGJ1dCB&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;0b28gYmFkIGhlIGhhcXFxcyBubyBpZGVhIHdoYXQgaGVxc&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;XFzIHRhbGtpbmcgYWJvdXQuIGxvbG9vm92YWxvayBpcyBh&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;IGZ1Y2tpbmcgbW9yb249uIFZ1bG5lcXFxcmFiaWxpdHkgY&quot;
<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;nV0IHRvbyBiYWQgaGUgaGFxcXFzIG5vIGlkZWEgd2hhdCB&quot;<br>&nbsp;&nbsp; &nbsp;&nbsp; .&quot;oZXFxcXMgdGFsa2luZyBhYm91dC4gbG9sb2w==&quot;;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<br><br><br>//Sending Raw Request via Base64_Decode Request Method<br><br>$result = base64_decode($packetr);
<br>if (!$result) {<br>&nbsp;&nbsp;&nbsp; echo &quot;&lt;p&gt;Unable to get output of query. Try Another Query or Server May be Down\n&quot;;<br>&nbsp;&nbsp;&nbsp; exit;<br>}else{<br><br>echo &quot;Raw Ouput From Server:&lt;br&gt;&lt;br&gt;&quot;.$result;
<br><br>}<br><br>echo $form;<br><br><br><br>}<br>?&gt;