1 #==================================================================================================
2 #!/usr/bin/perl
3 use IO::Socket;
4 #==================================================================================================
5
6 #==============================================================================#
7
8 # Jacek Wlodarczyk (j4ck) − jacekwlo[at]gmail[dot]com #
9
10 #==============================================================================#
11
12 #==================================================================================================
13 #Title: Eskolar CMS 0.9.0.0 Blind SQL Injection Exploit and bypass admin logon vulnerability
14 #Application: Eskolar CMS
15 #Version: 0.9.0.0
16 #Url: http://sourceforge.net/projects/eskolar/
17 #==================================================================================================
18
19 #==================================================================================================
20 #Affected software description:
21
22 #Not properly sanitized input can be used to inject crafted SQL queries and cause
23 #the database server to generate an invalid SQL query. We can use Blind SQL Injection attack
24 #to determine username and password for CMS and also classical SQL Injection
25 #to bypass admin logon. Password for CMS is storing in database as clear text!
26 #There is using addslashes() function to filtration GET variables, but we can prepare
27 #SQL query without slashes in Blind attack. There is not addslashes() function to filtration
28 #variables using to log in, so we can use classical SQL Injection to log in as admin.
29
30 #Vulnerable files: index.php, php/lib/del.php, php/lib/download_backup.php, php/lib/navig.php,
31 #php/lib/restore.php, php/lib/set_12.php, php/lib/set_14.php, php/lib/upd_doc.php
32
33 #==================================================================================================
34
35 #=======================================================================